OOPSIE HTB WALKTROUGH

Published in

System Weakness

6 min readJan 8, 2024

OOPSIE is a good HTB machine to learn about web applications vulnerabilities : cookie manipulation, file upload and Indirect Object Reference. In this article, I explain how to do the Pwned OOPSIE.

TASK 1 : With what kind of tool can intercept web traffic?

Just search in Google or any search engine

TASK 2 : What is the path to the directory on the webserver that returns a login page?

To know the port use by web server, we can do a simple nmap scan.

We can now, open the site on a web browser at the address http://TARGET_IP

But explore it manually, not allow us to find the login page. So we will use directory brute forcing. To do that, I will use an already installed tool on kali or parrot system : dirbuster. The tool have a Graphical interface; in terminal, just type dirbuster -u http://TARGET_IP

Interface open automatically, and you can choose your word list.

After start the process, at the Results-List View tab there is an /cdn-cgi/login with Response code status at 200 means the page exist.

At the URL : http://TARGET_IP/cgi/login we have a login page

TASK 3 : What can be modified in Firefox to get access to the upload page?

As we have seen in last screenshot, we can login as Guest and this hompage will appear to us

And when we try to access the Uploads pages, this message is show to us

In your browser, look at the developer tools; in Firefox just hit F12 key and will have it.

The cookie editor show that each user is defined by is role. And a number that seems to be an ID. It is to mean that, if you change role to admin and have the right ID for the admin user. You can connect as admin. So the answer is cookie

TASK 4 : What is the access ID of the admin user?

Well seen at the tabs of the site web, there is an account tab

Apparently, the tab lists the information for a user with the id send as a parameter URL. What happens if we set this id to 1

We have the Access ID of the admin account.

If you change the cookie role field value to “super admin” and the user field to “34322"

You can now access to the upload pages

TASK 5 : On uploading a file, what directory does that file appear in on the server?

While execute dirbuster there is an uploads directory

TASK 6 : What is the file that contains the password that is shared with the robert user?

To achieve this task, we have to open a reverse shell to connect to the victim machine. We saw that the website is in PHP, so we will find a PHP reverse shell. There is a good one here : https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php. Download it and custom it with the IP address of your attacker machine and your chosen port

Then open a netcat listener in your attacker machine :

Uploads the reverse shell file on the website

Then open the URL http://TARGET_IP/uploads/reverse_shell.php, no that the name of file can change for you, and you can name it as you want

Back to the netcat listener and we are connected to victim machine

With dirbuster, we found that there is a cdn-cgi/login/db.php file

We try to open it in our shell with the command cat /var/www/cdn-cgi/login/db.php

So, db.php is our file

TASK 7 : What executable is run with the option “-group bugtracker” to identify all files owned by the bugtracker group?

TASK 8 : Regardless of which user starts running the bugtracker executable, what’s user privileges will use to run?

Firstly, we use the find command to find the file own by bugrtracker group

And we use ls -l bugtracker to have more information on the file

The file its own by bugtracker and SUID is set, mean file is run as root

TASK 9 : What SUID stands for?

Just search in google what is SUID in linux systems

TASK 10 : What is the name of the executable being called in an insecure manner?

We run the command : python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ to upgrade the nc shell in a full terminal. Then after, we change user to robert with the su command and hit the password; finaly with the id command we can see in which group the robert user is in, robert can execute bugtracker

When we execute bugtracker, we saw that the executable run the cat command as root

SUBMIT USER FLAG

SUBMIT ROOT FLAG

We exploit bugtracker executable flaw by hint the location of our flag.

Thanks, for reading, if you enjoyed it clap for the article.