Box 2: HTB - Oopsie

It is considered a “Very easy” Box on HTB but causes troubles for me.

Enumeration

As a routine, I use Nmap for port scanning and reconnaisance at the beginning. For explanation about nmap syntax and its parameter, visit this site: https://explainshell.com/

nmap -sV -n -vv -Pn -T4 -p- -A 10.10.10.28 --open

The nmap scanning result is very brief, not as my imagination. There’re only 2 opening ports for us to explore today: 22 (SSH) and 80 (HTTP)

PORT   STATE SERVICE REASON         VERSION22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))

There’s not many things I can do here. I run Hydra tool for authentication brute-force with rockyou.txtin the background, but unfortunately, it cannot find any thing. Meanwhile, I also run dirsearch to enumerate web site directories for some interesting stuff. Additionallly, I navigate this site to inspect menu, tabs, and view page source…

dirsearch -u http://10.10.10.28 -e html,js,php,old,bakOptions:
-u URL, --url=URL : Target URL
-e EXTENSIONS, --extensions=EXTENSIONS : Extension list separated by commas (Example: php,asp)

dirsearch can detect some directories in this site, but they’re inaccessible when I try to access them. Maybe it need us to authenticate & authorize. There is a login page, however, it redirects to homepage when I try.

”dirsearch” result

In contrast, when navigating the page source, I find a weird directory: /cdn-cgi/login/script.js

“View page source” on your web browser

This page has quite a bit of content. So you can start with filtering out the links to webpages and scripts with curl as another way:

curl 10.10.10.28 | grep -E --colour 'href|script'

Another method to find scripts

Fire it in your browser and the login page in front of your eyes right now!

What shall we do next? I had tried to brute-force it with Hydra tool but hopeless. Finally, I used Google-fu and found that the boxes in “HackTheBox” are related to each other. Let’s try reusing the admin password from the previously compromised machine, with common usernames such as administrator or admin. This is my first experience with that behaviour, use it with the later boxes!

Just as successful login, I access “Upload” tab firstly because I think this is normally an attack vector for creating reverse-shell connection. However, it’s not as easy as a piece of cake.

This action require “super admin” rights!!!

Back to “Account” tab, you will see some information about currently logged in acocunt. “Access ID” is 34322 but on the URL bar, we also notice the paramter “id” equals 1, which for our current admin user. I checked the cookies and found something interesting. The cookie “user” is 34322 too.

Check URL parameters and the cookies jar

Wfuzz

I have id of 1 in the URL bar. If I change it to a '2', then I get nothing on the screen. It might be possible to brute force the id values, and display the user value for another user, such as super admin account. We can do this using wfuzz. I’ll try fuzzing the “id” parameter from 0 to 100.

wfuzz -c -z range,0-100 --hh 3595 -b role=admin -b user=34322 -u "http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=FUZZ"

Options:
-c : Output with colors
-u url : Specify a URL for the request
-z payload : Specify a payload for each FUZZ keyword used in the form of name[,parameter][,encoder]. A list of encoders can be used
-b cookie : Specify a cookie for the requests. Repeat option for various cookies
--hh : Don't show for a certain amount of characters in the response

Why did I use --hh 3595 in this command? Let’s try access URL again with “id” which equals '2'. This parameter value is invalid, then it will response with an empty page as below:

http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=2

So with invalid “id”, the response pages will be the same and have the same character amount 3595. We surely wanna ignore them and just keep focusing on the HTTP responses which have different content lengths and valid “id”. Let’s view the result from wfuzz tool as below:

Valid “id” payload are 1,4,13,23,30.

Notice: What is Fuzzing?
To keep it simple, fuzzing can be argued as “fancy bruteforcing” to some degree. However, you can fuzz what you can’t bruteforce. Fuzzing is using security tools to automate the input of data we provide into things such as websites or software applications. Fuzzing is an extremely effective process as computers can perform laborious actions like trying to find hidden files/folders, try different username and passwords much quicker then a human can (and is willing to do…). For more information about wfuzz tool, please kindly visit this. If you have problems when installing, check this for workaround. I hope it will be helpful.

BurpSuite

Another method to do above task is using BurpSuite Intruder. First of all, we will use Proxy mode to capture all traffic we sent to the web server and change browser settings to intercept them in Proxy mode. Then, we plan to send it to Intruder for attack.

Intruder → Positions → Add § to your parameter value for fuzzing

Then, let’s move to “Payloads” tab to define value range that we’ll use in fuzzing. To create a list containing 0,1,..,100 value, you can utilize this one-liner command: for i in $(seq 0 100); do echo $i; done > list.txt. “Load” this list into “Payloads Sets” and click “Attack”.

Define value range 0–100 to use in fuzzing attack

In the result windows, like we do with wfuzz, you only need to focus on HTTP response which have different content lengths.

The yellow-highlighted are interesting things!

I’ve tried all in this list and with the value “id=30”, we will get the “super admin” AccessID.

Access ID=86575

Now, we can modify cookie “user” to 86575 in our web browser. After that, try accessing “Upload” tab again, this will be so amazing!!

Edit cookies value

Foodhold

Tadaaa!!!

In the next step, we will upload the reverse shell to this server and run it. If you’re using Kali Linux like me, a collection of webshells for PHP is available in /usr/share/webshells/. You can check and list all of them with command:

tree /usr/share/webshells

webshells Directory in tree format

I’ve picked up php-reverse-shell.php in this time. After changing the IP and port values, we upload the file, capture the request, substitute the user
value as before, and click Upload.

File uploading was successful. Great!

So that was a success, but now where did it go? Remind you of the dirsearch step, we’ve found a directory called ''uploads''. Try 10.10.10.28/uploads and it gives a 301, yayy! Now, we can set up our listener and trigger a reverse shell.

sudo nc -lnvp <port number>

Use browser and move to your reverse-shell location, then ''Enter'' to run it!

http://10.10.10.28/uploads/<your revere-shell file name>.php

Got reverse-shell connection from this web server. Use ‘id’ command to show user info

Current shell is not tty and quite inconvenient, let’s proceed to upgrade it. We can usewhich python or which python3 to check whether pythonorpython3 is available on this machine or not. Python3 is present in /bin/ so we will run below command to spawn a tty shell (interactive):

python3 -c 'import pty; pty.spawn("/bin/bash")'

TTY Interactive Shell

Lateral Movement

In this stage, you can easily find the “user.txt” flag in /home/robert/. I won’t disclose the flag content is this write-up, you should have enjoy it yourself. Next, it’s a good idea to navigate the web root directory /var/www/html. I found some script files here and db.php is one of them. I have credential of robertfor mysql, does that work elsewhere?

credentials of ‘robert’

Yes, we still have another opening service port - SSH.

ssh robert@10.10.10.28 → Enter → Provide the password

Privilege Escalation

Now that we are robert, again, look around the home directory and see what we got. After looking through these files, we don’t find anything juicy. I considered using find command to list all of interesting files that robert have permission to access. After minutes of getting stuck, I used id command and found robert is a member of the weirdbugtracker group.

So we can enumerate the filesystem to see if this weird group has any special access.

find / -type f -group bugtracker 2> /dev/null

The only file found is /usr/bin/bugtracker , this executable file is suspicious and let’s inspect it. So I’ll look at the libraries using ldd but there is nothing exploitable there since I cant hijack those paths. After Google-fu, I run strings to see if I can get an idea of what the program has hard-coded. I then run ltraceto see exactly what the calls do. So far, this’s my first time with 2 these commands, I don’t have a lot of information or cheat about them therefore. Research them later, when possible!

strings command explanation: https://www.lifewire.com/strings-linux-command-4093452

ltrace command explanation: https://man7.org/linux/man-pages/man1/ltrace.1.html

‘strings’ command result
‘ltrace’ command result

Looking at the output, it looks like a system command is calling the cat command and looking at the setuidline, it is setting the UID as 0 which is root. We see that it calls the cat binary using this relative path instead of the absolute path. By creating a malicious cat and modifying the path to include the current working directory, we should be able to manipulate this misconfiguration, and escalate our privileges to root.

Let’s add the current working directory to PATH, create the malicious binary and make it executable.

export PATH=/tmp:$PATH
cd /tmp/
echo '/bin/sh' > cat
chmod +x cat

Finally, we can execute/usr/bin/bugtracker to get root login. Remember that we changed path to runcat command, so we need to use absolute path /bin/cat to read the file content instead of the normal cat. You will easily find the ''root.txt'' flag in /root/. Let’s explore it by yourself.

root.txt flag

I was afraid of losing this connection and consider setting up a backdoor, so I’ll create a basic ssh key (ssh-keygen) and upload it to the authorized_keysfile for root. Now I can get in as root anytime. On your own machine, use ssh-keygen command to generate key pair for SSH. So then, 2 key files are created: id_rsa(private key) and id_rsa.pub(public key). Try to copy the public key to authorized_keys file on Victim machine (10.10.10.28) at SSH directory: ~/.ssh/. Try connecting SSH from my Kali machine to this box with private key already created:

Oops! I have a problem with my private key…

Call Google-sama and I found the reason for this. I’ve changed permission for this file with command: chmod 600 id_rsa. Visit this for understanding file permission in Linux.

SSH connection is OK now!

Now time to loot, so I pull all the shadow and passwd file for credentials. As my above experience, they may be useful for the next several boxes!

There is a file inside of the .config directory that has some additional credentials. Based on the last box, I’ll add all these I found to my crendential file because password reuse may be a theme here!

Inside root’s folder, we see a .config folder, which contains a FileZilla config file with the credentials

Finally, this is also the 2nd box on my journey to pursue OSCP exam. I’ll try to complement the details much more when possible.

THANKS FOR READING AND SUPPORTING!

“Remember, Hacking isn’t a race. It’s a test of will, patience, and preparation.”