OOPSIE HTB WALKTROUGH
OOPSIE is a good HTB machine to learn about web applications vulnerabilities : cookie manipulation, file upload and Indirect Object Reference. In this article, I explain how to do the Pwned OOPSIE.
TASK 1 : With what kind of tool can intercept web traffic?
Just search in Google or any search engine
TASK 2 : What is the path to the directory on the webserver that returns a login page?
To know the port use by web server, we can do a simple nmap scan.
We can now, open the site on a web browser at the address http://TARGET_IP
But explore it manually, not allow us to find the login page. So we will use directory brute forcing. To do that, I will use an already installed tool on kali or parrot system : dirbuster. The tool have a Graphical interface; in terminal, just type dirbuster -u http://TARGET_IP
Interface open automatically, and you can choose your word list.
After start the process, at the Results-List View tab there is an /cdn-cgi/login with Response code status at 200 means the page exist.
At the URL : http://TARGET_IP/cgi/login we have a login page
TASK 3 : What can be modified in Firefox to get access to the upload page?
As we have seen in last screenshot, we can login as Guest and this hompage will appear to us
And when we try to access the Uploads pages, this message is show to us
In your browser, look at the developer tools; in Firefox just hit F12 key and will have it.
The cookie editor show that each user is defined by is role. And a number that seems to be an ID. It is to mean that, if you change role to admin and have the right ID for the admin user. You can connect as admin. So the answer is cookie
TASK 4 : What is the access ID of the admin user?
Well seen at the tabs of the site web, there is an account tab
Apparently, the tab lists the information for a user with the id send as a parameter URL. What happens if we set this id to 1
We have the Access ID of the admin account.
If you change the cookie role field value to “super admin” and the user field to “34322"
You can now access to the upload pages
TASK 5 : On uploading a file, what directory does that file appear in on the server?
While execute dirbuster there is an uploads directory
TASK 6 : What is the file that contains the password that is shared with the robert user?
To achieve this task, we have to open a reverse shell to connect to the victim machine. We saw that the website is in PHP, so we will find a PHP reverse shell. There is a good one here : https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php. Download it and custom it with the IP address of your attacker machine and your chosen port
Then open a netcat listener in your attacker machine :
Uploads the reverse shell file on the website
Then open the URL http://TARGET_IP/uploads/reverse_shell.php, no that the name of file can change for you, and you can name it as you want
Back to the netcat listener and we are connected to victim machine
With dirbuster, we found that there is a cdn-cgi/login/db.php file
We try to open it in our shell with the command cat /var/www/cdn-cgi/login/db.php
So, db.php is our file
TASK 7 : What executable is run with the option “-group bugtracker” to identify all files owned by the bugtracker group?
TASK 8 : Regardless of which user starts running the bugtracker executable, what’s user privileges will use to run?
Firstly, we use the find command to find the file own by bugrtracker group
And we use ls -l bugtracker to have more information on the file
The file its own by bugtracker and SUID is set, mean file is run as root
TASK 9 : What SUID stands for?
Just search in google what is SUID in linux systems
TASK 10 : What is the name of the executable being called in an insecure manner?
We run the command : python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ to upgrade the nc shell in a full terminal. Then after, we change user to robert with the su command and hit the password; finaly with the id command we can see in which group the robert user is in, robert can execute bugtracker
When we execute bugtracker, we saw that the executable run the cat command as root
SUBMIT USER FLAG
SUBMIT ROOT FLAG
We exploit bugtracker executable flaw by hint the location of our flag.
Thanks, for reading, if you enjoyed it clap for the article.