Oopsie Walkthrough

After the Archetype Walkthrough, here i'm with Oopsie box. Let's hack and grab the flags.

In ours pervious Archetype Walkthrough, I mentioned that the starting point machines are a series of 9 easily rated machines that should be rooted in a sequence. So it means, if you need to go through this box, you must have a complete Archetype machine.

Enough talks πŸ₯±, let's start to hack. πŸ±β€πŸ’»

Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedures to grab the flags! πŸ±β€πŸ‘€

00. Start Machine …

To start machine, Just click "Join Machine".

Start Oopsie Machine

Then you can see the IP address for that machine. usually it is 10.10.10.28 🀠

10.10.10.28

Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success!

As a ping result, It's TTL=63. There is one route between machine and us (VPN) so it's definitely it will be Linux machine.

01. Enumeration First …

01.1 Fast ports scan

As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.

Here is the output πŸ‘‡

Now we know which ports are open, Here we can see some * (Interesting) ports.

01.2 Run Nmap Scripting Engine

To get the best result we can run the Nmap Scripting Engine for all open ports. Now we know all the open ports. So we can point out and run the script engine as fast as possible.

I have some trick to identify the Operating System using SSH version. I got it from IppSec's walkthroughs. Thanks IppSec for your valuable walkthroughs πŸ™. Here is the trick. If you see the SSH version like "OpenSSH 7.6p1 Ubuntu 4ubuntu0.3" just copy it and search through google. In the search results you can find domain called launchpad.net. It contains some important details like Ubuntu Releases, last update, publishing details and more important is builds. Likewise, in this case it is Bionic.

OpenSSH 7.6p1 Ubuntu 4ubuntu0.3

Now we know the operating system is Ubuntu and we have open ports 22 (SSH) and 80 (HTTP). Let's go to the port 80 first.

01.3 Discover more on port 80

Open web browser and Burp Suite. Type http://10.10.10.28/

http://10.10.10.28

Here we got a nice landing page. First thing first; view source code and look if we have any interesting things. Unfortunately, nothing interesting found. Then we can see the traffic on burp.

Traffic on burp

In here, you can find some endpoint, so let's jump into it.

But I got nothing, it's just a blank page. Hmm, what about "http://10.10.10.28/cdn-cgi/login/" ah, let's check...

http://10.10.10.28/cdn-cgi/login/

It contains a login page. lets check basic default username password like,

  • admin : admin

  • admin : admin123

  • admin : password

  • admin : pa$$w0rd

Nothing worked.😒 Oh wait, wait.. Do you remember we got some password at the end of Archetype machine? Try to remember, it was "MEGACORP_4dm1n!!". Let's check this one as well.

admin : MEGACORP_4dm1n!!

http://10.10.10.28/cdn-cgi/login/admin.php

We got our admin panel. and now it's time to check page source. so let's check page source.

view-source:http://10.10.10.28/cdn-cgi/login/admin.php

Here we have some interesting links. let's check one-by-one.

http://10.10.10.28/cdn-cgi/login/admin.php?content=uploads

In upload section they say "if you need to upload anything, please be a superadmin !". hmm ok let's check other ones.

http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=1

Oh!, now I smell some IDOR vulnerability. Isn't it ?? Let's check ..

IDOR in id=1

I send this request to burp intruder and change settings like below πŸ‘‡

Intruder options - Payload Positions
Intruder options - Payload Options

Let's start the attack.

Attack Result Set

Above I sorted the output result by the length, There are more users and now I got a super admin Access ID and Email. So let's jump back to the upload section again. But now we intercept the web traffic through burp proxy.

When you refresh the page you can see the cookie contain something like user id and role. so let's alter those values by super admin and then click forward the traffic.

I was done this using match and replace method on burp. it will be more quick rather than intercept request one by one.

Burp Match and Replace

02. Foothold

Let's bump to the upload page, and now it accessible.

Let's check whether we can upload PHP web shell or what kind of file type are they need to be uploaded. First copy the PHP Reverse shell to our current directory.

Then we can open that php-reverse-shell.php whatever text editor you like and edit the below changes. πŸ‘‡

And I rename that file to hiddenwiki.php. Let's upload the file.

Note : You must change the cookie to super admin do upload the file. but in my case it is auto replace by burp match and replace.

File has been uploaded, Now we need to find where the file is.

We have lots of fuzzing tools, but I personally love Mauro Soria's Dirsearch tool. it has amazing output and also can customize the script because it was written using python3. For the wordlist I used Daniel Miessler's SecLists.

Now power up the dirsearch tool and wait for the results.

From the beginning of the results we got directory called uploads.

Now it's time to powerup netcat listener and we can use curl command to fetch the uploaded file.

We land a shell as www-data and proceed to upgrade it. Type below command to spawn our shell πŸ‘‡

First check web user directory where it has some interesting information.

Here we found db.php file in /var/www/html/cdn-cgi/login directory. let's view this file.

Oh! here we found new user credentials.

  • robert:M3g4C0rpUs3r!

So let’s access Robert’s user, providing the password found. su robert

Yes it works and now we are in robert user. we can view our user flag now. Let's check and submit it to HTB.

03. Privilege Escalation

Now we are on the last step. we need to find root flag.

Now we are robert. So again, look around the file system, First we can use id command to verify in which user group we are now. Let's check it.

As above result; we see that this robert is part of a bugtrack group. Now let's check for what files this group has the access.

There is a binary file calledbugtracker and also we notice that it has SUID permissions.

The β€˜s’ in the user β€˜execute’ field, it runs β€˜as’ its creator, in this case, root. πŸ˜‹πŸ˜‹πŸ˜Ž

Let's run the file and check what are the mess around that file.

Nothing interesting found. let's check strings command to analyze the binary file for any hard-coded information.

When looking around the output, you can see that it looks like a system command which is calling the cat command using the relative path instead of the absolute path. So what's on your mind now. yes we can create malicious file called cat and modifying the path to include the current working directory. Using that method we can abuse this misconfiguration and escalate our privileges to root.

Let's create the file, make it as executable and add the current working directory to PATH.

Now let's run the /usr/bin/bugtracker binary again.

Now we are landing as root. The last step; let's check the root flag and submit it to the HTB.

Here I was unable to view the root.txt flag using cat,vi,nano commands. so instead of view the flag, I'm going to use netcat and get that file to my host.

-- On the receiving end (My host)

-- On the sending end (Oopsie machine)

Here is the output πŸ‘‡

04. Post Exploitation

Inside root's folder, we see a .config folder, which contains a FileZilla config file with the credentials ftpuser : mc@F1l3ZilL4 visible in plain text.

That’s all for now! We’ll keep in mind that some of the info collected (like credentials, folders…) can be useful in the next 7 labs of the β€˜Starting Point’ path. Thanks for reading and happy hacking!

Find me on @twitter

PreviousArchetype WalkthroughNextVaccine Walkthrough

Last updated

Was this helpful?