Oopsie — HacktheBox Writeup ( getting root flag without actually being root )
Introduction:
Oopsie is an easy box on HacktheBox platform.
Firstly, connect to the HacktheBox VPN and jump right in. ( IP of the target box is 10.10.10.28 )
Enumeration:
Let’s Enumerate, because enumeration is the key. I personally use Rustscan because it is much faster than Nmap. You can download Rustscan easily by using the apt
package manager of Linux. Fire the command apt install rustscan
in the terminal and the tool will be downloaded and installed for you ( use sudo
if you are not the root user ).
Get a cheat-sheet or complete the Rustscan room on TryHackMe to know how to use Rustscan at its best potential. The command I used was — rustscan -a 10.10.10.28 --range 1–65535 -- -sC -sV -O -oN file.txt
.
-a
is for specifying the target.— range
specifies the range of port to be scanned. Here we are scanning all the ports.—
means that the rest arguments/flags/switches will be the Nmap switches.-sC
is to include the default scripts while scanning for the ports. It helps to identify the known vulnerabilities while scanning.-sV
gives the version of the services running.-O
is for OS detection.-oN
is to write the output in a file ( for future reference ).
So, the results of Rustscan / Nmap will show you that port 22, 80 are open. Start your web-browser and type in the IP of the target box.
The second thing I do is Directory Bruteforcing. For this, nothing is better than FFUF. I suggest to watch this video by Codingo
to understand how to use FFUF in a better way- https://www.youtube.com/watch?v=iLFkxAmwXF0 . The command for the same is ffuf -u http://10.10.10.28/FUZZ -recursion -w location/of/wordlist.txt | tee ffuf.log
`
-u
is for specifying the target box.-recursion
means that if ffuf finds a valid directory, it will fuzz further that found directory ( one level up ).-w
is for defining the wordlist to use for fuzzing.|
is to take the output of the first command as the input of the second command. Here, we will take the output of the ffuf command and we’ll do something with the generated output intee
command.tee
command generates the output on the terminal as well as save the output in the specified file.
The required output of FFUF is — /cdn-cgi/login
. Visit this endpoint by entering http://10.10.10.28/cdn-cgi/login
. This greets us with a login page as shown:
Currently I did not have any username so I tried bruteforcing the password with the username as admin
and administrator
, but had no luck. I visited the homepage again and looked for something that could be useful, visited different end-points looking for anything to be useful but again, no luck. So, I looked at a couple of writeups ( yes, I looked at a writeup because I am also learning ) and found that the author has used the password ‘from the last machine’. I don’t know which last machine they were talking about, but I used them. Use admin:MEGACORP_4dm1n!!
as the login credentials.
Here, the upload
page is further restricted to the ‘super-admin’. As the page name says, we can upload some files to it. We can try to upload reverse shell files to get a shell back, if possible. Till then, we have to find a way to become the super-admin
.
Visit the Accounts
page. The URL contains a parameter id
. Try to fuzz it with BurpSuite. I use a Firefox extension- FoxyProxy
, to easily setup the interception with BurpSuite.
Intercept the request to the Accounts
page, and use the Burp-Intruder to fuzz the id
parameter. Set the values between 1 and 200. ( do it 50 for faster results ).
The results show some users and their access-ID
:
Edit the URL and the value of id
parameter as 30 and the results will as as shown above.
Becoming super-admin on the application:
Now edit the cookies and replace the accessid
with 86575 and name as super-admin
. Now we can easily visit the Uploads
page.
Gaining shell ( Initial Foothold ) :
Upload the PHP reverse shell as the target page is using PHP at their back-end. ( You can use an extension called wappalyzer
to know what technologies a particular web application is using. ) You can look at pentest-monkey
reverse shells. Edit the ip
and port
values ( changing only the ip
value to the target IP will work ).
Upload it with any name you want.
The reverse shell has been uploaded successfully. Now we have to start the netcat-listener and trigger the uploaded reverse-shell.
Start the netcat listener on the same port with which you have uploaded the shell. Here it is 443'. Fire the command nc -nlvp 443
in the terminal.
Now to trigger the reverse shell, we will use curl
command.
I have stabilized the shell using Python. Stabilizing the shell, gives you the power to use auto-complete using tab, Ctrl+c won’t kill your shell, etc. You can also set the size of the reverse shell as your stty shell, by using stty rows 39 && stty cols 173
. 39 and 173 is the size of my terminal. You can see yours by typing stty size
in your own terminal.
Parallel-Escalation ( becoming user `robert` ) :
There is a user as robert
so we must try to become that user so that we can see what else we can do in this box. There was a page as /cdn-cgi/login
in the website, so visit the same page in the shell. There is a database file db.php
under /var/www/html/cdn-cgi/login/
directory, which has the credentials for the robert
user. Switch to that user using su
command. Now we are the user robert
.
Reading the root flag:
Currently we are the user robert
.
Run the command id
. We can see that robert
is a member of a group bugtracker
.
Now we have to find the files robert
can access which belongs to this group. Type the command find / -type f -group bugtracker 2> /dev/null
. Let’s understand what this command is doing.
find
is the tool which helps to find files and directories./
here is specifying that where to look for the files./
means to look in the root file, everywhere.-type f
means that what we are looking for. Is it a file or a directory.d
means to search for directory.-group
means that we are looking for files which belong to the specified group, herebugtracker
.2> /dev/null
means that if this command generates any error, then put that garbage in the/dev/null
file. Error can be not being able to access a directory / file because we don’t permission to.
The output of this command shows that there is a SUID binary. If you don’t know what SUID binaries, I’ll tell you. SUID binaries are the binaries which have SUID permissions and these permissions let anyone run that binary with the permission of its owner. And the owner of bugtracker
is root. So if we run this file, this should run with the root privileges.
Run this binary, it asks for some ‘bug id’:
Enter any value to see its behavior.
The values 1, 2 and 3 returns the content of some files which we don’t know yet. Try entering some big number:
This reveals that this binary is printing out the content of files which are under /root/reports
directory.
PS: we are not able to enter into the root directory, but still can read the file which are under root directory because this binary is running with the root privileges.
Now its time to get the root flag without being root user:
We can traverse one-level up, then we will be into the root directory and the root flag is under the root directory. Since this binary prints the content of a file, we can enter the name of the root.txt file to get its content.
So, the final payload will be ../root.txt
, which will act like cat /root/reports/../root.txt
( cat /root/root.txt ). Enter the payload and you will get your root flag.
Becoming root user:
But just reading the root flag isn’t our goal, being the root user is.
So, lets escalate to root.
Bugtracker
binary file is using cat command, so we can gain root by exploiting the PATH variable.
PATH variable has directory specified which has binaries for all the commands we use in the terminal.
TIP:
If any SUID binary is there, using some basic bash commands like — ps , ls , cat , etc., we can specify our own PATH variable destination. Set the command imitation and we can set what a particular command to do what we want rather than what it is made to do.
What’s happening here is, I have changed what the cat
command will do. I have made the cat command to execute a shell, and since this is a binary with SUID permissions, the shell which we will get will be with root privileges.