HackTheBox - Oopsie Writeup | SH∆FIQ∆IM∆N

Enumeration

Top 1000 ports scan

nmap -sC -sV -oN nmap/inital 10.10.10.28

nmap initial scan

all ports scan

nmap -sC -sV -p- -oN nmap/all_ports 10.10.10.28

nmap allports scan

Still the same result
Open ports
- port 22 / ssh
- port 80 / http

The Website

MegaCorp Automotive webpage

Gobuster

Auto recon in the background
looking the hidden directory

gobuster dir -u http://10.10.10.28 -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -o gobuster.log

The result

gobuster

This webpage have an upload directory.

Found something insteresting in the source code

view source code

the directory into /cdn-cgi/login/script.js
navigate into http://10.10.10.28/cdn-cgi/login
found the login page

Got the credentials in previous box called Archetype in official pdf
Successfully login as admin

admin webpage

Can’t Upload

navigate to the upload page
it says super admin have right to view it

can’t view upload page

The ID

id parameter

This page appear to be user table base on the id parameter in the link
Making python script for IDs brute-force

Foothold/Gaining Access

Python Script

python script for ID brute force
need cookies for authentication

#!/usr/bin/env python3

import requests

for i in range(101):
    url = f"http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id={i}"
    c = {'user':'34322','role':'admin'}
    r = requests.get(url, cookies=c)

    if len(r.content) == 3595: # nothing appear just pass it
        pass
    else:
        print(f"Check this ID out {i}")
print("Done")

The result

brute-force id

Here is the ID lead to (in order)

{'access id':'34322','name':'admin','email':'[email protected]'}
{'access id':'8832','name':'john','email':'[email protected]'}
{'access id':'57633','name':'Peter','email':'[email protected]'}
{'access id':'28832','name':'Rafol','email':'[email protected]'}
{'access id':'xxxxx','name':'super admin','email':'[email protected]'}

Upload as super admin

Found the super admin table

found superadmin table

Turns out the Access ID it is the cookie value
Change the admin cookies into super admin

admin cookie before

superadmin cookie after refresh the page

Reverse Shell

Upload the php reverse shell
- Here is the source

upload php reverse shell

Activated the reverse shell
- through this link

execute the shell

Got the shell

shell as www-data

www-data

Found the credentials in file called db.php
in /var/www/html/cdn-cgi/login/db.php

found robert credentials

Robert

change user to robert

User Flag

user flag

Find the SUID
The command for find it

find / -user root -perm -4000 -exec ls {} \; 2>/dev/null

Found weird binary that not suppose to be there

find all SUID

Privilege Escalation

Bugtracker

This is how it works
However it says no such file or directory

cat error

Try strings out the binary
Turns out this binary use cat command
However this is use relative path

strings bugtracker

explain the relative & absolute path

relative & absolute path differences

Relative Path Abused

Make a fake cat command
- by puting /bin/bash in it
- the bugtracker binary will execute this fake file as root
- source for relative path abused

shell as root

Root Flag

root flag

Conclusion

I’ve learned a lot today. Never put the user ID as cookies value and make sure you configure the website properly. Lastly, make sure to configure the SUID binary carefully and do not put any untrust or unpatched version as SUID

I have a fun time doing this machine and I hope you guys too. Bye ;)

Enumeration#

The Website#

Gobuster#

Login Page#

Can’t Upload#

The ID#

Foothold/Gaining Access#

Python Script#

Upload as super admin#

Reverse Shell#

www-data#

Robert#

User Flag#

Privilege Escalation#

Bugtracker#

Relative Path Abused#

Root Flag#

Conclusion#