Oopsie - HackTheBox

Start with an Nmap scan to see what ports the machine has open.

┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sS --min-rate=5000 -v -Pn -n 10.10.10.28 -oG allPorts
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-30 15:22 CEST
Initiating SYN Stealth Scan at 15:22
Scanning 10.10.10.28 [1000 ports]
Discovered open port 22/tcp on 10.10.10.28
Discovered open port 80/tcp on 10.10.10.28
Completed SYN Stealth Scan at 15:22, 0.46s elapsed (1000 total ports)
Nmap scan report for 10.10.10.28
Host is up (0.12s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
       	Raw packets sent: 1128 (49.632KB) | Rcvd: 1008 (40.328KB)

Once the scan was complete, I performed another scan to detect the version and service of each port found.

┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sC -sV -p22,80 10.10.10.28 -oN targeted        	 
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-30 15:23 CEST
Nmap scan report for 10.10.10.28
Host is up (0.11s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh 	OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
| 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open  http	Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.91 seconds3

I had a Server and an SSH service that I couldn’t do much with, I tried fuzzing to see if there were any potential directories.

┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ gobuster dir -u http://10.10.10.28/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:        	http://10.10.10.28/
[+] Threads:    	20
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent: 	gobuster/3.0.1
[+] Timeout:    	10s
===============================================================
2021/06/30 20:22:13 Starting gobuster
===============================================================
/images (Status: 301)
/themes (Status: 301)
/uploads (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
Progress: 4146 / 220561 (1.88%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/06/30 20:22:27 Finished
===============================================================

The “uploads” directory I would like to think will have to point to some file later, look at the web server.

I found a route in the source code that caught my attention that said /cdn-cgi/login/script.js, I removed the script.js, copied the route and put it next to the IP of the machine and it reported a “Log In” panel.

After some research on this panel, I found nothing critical about it and had to see this part in another Write Up, apparently the access credentials are from the previous “Starting Point” machine, that is ArcheType, the username is admin and the password MEGACORP_4dm1n!!.

Once inside, this is what you saw.

The section that particularly caught my attention was “uploads”, I clicked on it to see if it would allow me to upload any files.

And apparently there is a user with more privileges than admin, I had to become him in order to upload a file.

Seeing this I decided to click on the “accounts” section and I saw that the URL reported an ID that was 1.

This ID corresponded to the admin user I was in, I thought about doing brute force and maybe getting an ID from another user and with a bit of luck the one from the user with the most privileges, for that I created a sequencer from 0 to 100 for the dictionary, I exported it to a dic.txt file and now all that was left was to intercept the request with BurpSuite and send it to the “intruder”, I selected “sniper” as the attack type and the “payload” to attack, in this case the ID, I started the attack and finally I found the user superadmin in a server-side response different from the others.

The superadmin user ID was 30, I intercepted another request but this time from the “uploads” section.

I changed the data in the user parameter and put in the user superadmin.

I clicked “forward” and it redirected me to the file upload page.

I uploaded a reverse shell in PHP, I used the one from Pentestmonkey.

I intercepted the request again.

Change the “user” parameter of the request to that of the superadmin.

I clicked forward to issue it and upload the reverse shell.

Now where has it been uploaded? Well, if we remember at the beginning of everything we did “fuzzing” to find potential directories, there was one called “uploads”, I tried pointing to that directory with the name of the reverse shell and opening port 443 via NC to receive the connection, and indeed it was there.

I tried using the TTY to navigate the Shell more comfortably and tried to view the user’s “flag”. Apparently I didn’t have permissions, there was a user called Robert. I thought I had to become that user to be able to view it. After a little search in the system I managed to find a file in /var/www/html that had some credentials for the user Robert.

I tried authenticating via SSH, since the machine had it open, and it worked.

---

ESCALADA DE PRIVILEGIOS

I viewed the flag, and now all that was missing was the privilege escalation, I found a binary called bugtracker, after intuiting what it was doing I saw that a cat was being executed behind the scenes and apparently it was not pointing from its absolute path, so this was a PATH hijacking like a house, I created a file called cat with “/bin/bash” as content and modified the PATH to point to the directory I am in now, I gave the file execution permissions and ran the bugtracker binary and became the ROOT user.

I tried to display the flag, but it seemed like it had nothing, I had to encode it in hexadecimal and the two potions at the end together make up the ROOT user flag.