Logo
HackTheBox - Oopsie Writeup

HackTheBox - Oopsie Writeup

SH∆FIQ∆IM∆N SH∆FIQ∆IM∆N
July 20, 2021
1 min read
index

Enumeration

  • Top 1000 ports scan
Terminal window
nmap -sC -sV -oN nmap/inital 10.10.10.28

nmap initial scan

nmap initial scan

  • all ports scan
Terminal window
nmap -sC -sV -p- -oN nmap/all_ports 10.10.10.28

nmap allports scan

nmap allports scan

  • Still the same result
  • Open ports
    • port 22 / ssh
    • port 80 / http

The Website

MegaCorp Automotive webpage

MegaCorp Automotive webpage

Gobuster

  • Auto recon in the background
  • looking the hidden directory
Terminal window
gobuster dir -u http://10.10.10.28 -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -o gobuster.log
  • The result

gobuster

gobuster

This webpage have an upload directory.

Login Page

  • Found something insteresting in the source code

view source code

view source code

  • the directory into /cdn-cgi/login/script.js
  • navigate into http://10.10.10.28/cdn-cgi/login
  • found the login page

login page

login page

  • Got the credentials in previous box called Archetype in official pdf
  • Successfully login as admin

admin webpage

admin webpage

Can’t Upload

  • navigate to the upload page
  • it says super admin have right to view it

can't view upload page

can’t view upload page

The ID

id parameter

id parameter

  • This page appear to be user table base on the id parameter in the link
  • Making python script for IDs brute-force

Foothold/Gaining Access

Python Script

  • python script for ID brute force
  • need cookies for authentication
#!/usr/bin/env python3
import requests
for i in range(101):
url = f"http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id={i}"
c = {'user':'34322','role':'admin'}
r = requests.get(url, cookies=c)
if len(r.content) == 3595: # nothing appear just pass it
pass
else:
print(f"Check this ID out {i}")
print("Done")
  • The result

brute-force id

brute-force id

  • Here is the ID lead to (in order)
{'access id':'34322','name':'admin','email':'[email protected]'}
{'access id':'8832','name':'john','email':'[email protected]'}
{'access id':'57633','name':'Peter','email':'[email protected]'}
{'access id':'28832','name':'Rafol','email':'[email protected]'}
{'access id':'xxxxx','name':'super admin','email':'[email protected]'}

Upload as super admin

  • Found the super admin table

found superadmin table

found superadmin table

  • Turns out the Access ID it is the cookie value
  • Change the admin cookies into super admin

admin cookie

admin cookie

before

superadmin cookie

superadmin cookie

after refresh the page

Reverse Shell

upload php reverse shell

upload php reverse shell

  • Activated the reverse shell
    • through this link

execute the shell

execute the shell

  • Got the shell

shell as www-data

shell as www-data

www-data

  • Found the credentials in file called db.php
  • in /var/www/html/cdn-cgi/login/db.php

found robert credentials

found robert credentials

Robert

  • Login as robert

change user to robert

change user to robert

User Flag

user flag

user flag

  • Find the SUID
  • The command for find it
Terminal window
find / -user root -perm -4000 -exec ls {} \; 2>/dev/null
  • Found weird binary that not suppose to be there

find all SUID

find all SUID

Privilege Escalation

Bugtracker

  • This is how it works
  • However it says no such file or directory

cat error

cat error

  • Try strings out the binary
  • Turns out this binary use cat command
  • However this is use relative path

strings bugtracker

strings bugtracker

  • explain the relative & absolute path

relative & absolute path differences

relative & absolute path differences

Relative Path Abused

shell as root

shell as root

Root Flag

root flag

root flag

Conclusion

I’ve learned a lot today. Never put the user ID as cookies value and make sure you configure the website properly. Lastly, make sure to configure the SUID binary carefully and do not put any untrust or unpatched version as SUID

I have a fun time doing this machine and I hope you guys too. Bye ;)