HackTheBox - Oopsie Writeup
Contents
Box author | MrR3boot
Enumeration
- Top 1000 ports scan
|
|
- all ports scan
|
|
- Still the same result
- Open ports
- port 22 / ssh
- port 80 / http
The Website
Gobuster
- Auto recon in the background
- looking the hidden directory
|
|
- The result
This webpage have an upload directory.
Login Page
- Found something insteresting in the source code
- the directory into
/cdn-cgi/login/script.js
- navigate into
http://10.10.10.28/cdn-cgi/login
- found the login page
- Got the credentials in previous box called Archetype in official pdf
- Successfully login as admin
Can’t Upload
- navigate to the upload page
- it says
super admin
have right to view it
The ID
- This page appear to be
user table
base on theid parameter
in the link - Making
python script
for IDs brute-force
Foothold/Gaining Access
Python Script
- python script for ID brute force
- need cookies for authentication
|
|
- The result
- Here is the ID lead to (in order)
|
|
Upload as super admin
- Found the super admin table
- Turns out the
Access ID
it is thecookie value
- Change the admin cookies into super admin
before
after refresh the page
Reverse Shell
- Upload the php reverse shell
- Activated the reverse shell
- through this link
- Got the shell
www-data
- Found the credentials in file called
db.php
- in
/var/www/html/cdn-cgi/login/db.php
Robert
- Login as robert
User Flag
- Find the SUID
- The command for find it
|
|
- Found weird binary that not suppose to be there
Privilege Escalation
Bugtracker
- This is how it works
- However it says
no such file or directory
- Try
strings
out the binary - Turns out this binary use
cat command
- However this is use relative path
- explain the
relative & absolute path
Relative Path Abused
- Make a fake
cat command
- by puting
/bin/bash
in it - the bugtracker binary will execute this fake file as
root
- source for relative path abused
- by puting
Root Flag
Conclusion
I’ve learned a lot today. Never put the user ID as cookies value and make sure you configure the website properly. Lastly, make sure to configure the SUID binary carefully and do not put any untrust or unpatched version as SUID
I have a fun time doing this machine and I hope you guys too. Bye ;)