Skip to content

Latest commit

 

History

History
executable file
·
52 lines (30 loc) · 1.85 KB

README.md

File metadata and controls

executable file
·
52 lines (30 loc) · 1.85 KB
Raw

Oopsie - HTB

Scanning and Enumeration

  • Running nmap scan against target machine

    Nmap Results

  • Ran dirbuster to find any login pages

    Dirbuster results

  • Found the /cdn-cgi/login page

    Login screen

  • Logged in as Guest

  • Noticed the url content=accounts&id=2 and changed id=1 which gave me the following

    Admin Account ID

  • Used the Admin ID found and turned on Burp Suite

  • Navigated to the uploads page and intercepted the request

  • Changed the user to 34322 and role to admin

    Request manipulation

  • Manipulating the admin cookies, was able to upload a php reverse shell and got a shell session using a nc listener

    NC shell connection

  • Found db.php file that contained the robert user password

    db.php contents

  • Switched to robert user and found he belongs to the bugtracker group

  • Found an executable owned by the bugtracker group

    Bugtracker executable

  • The executable has the SUID bit so it will run as root

  • After running the bugtracker executable, we see the error message is calling the cat command but it doesn't define the path so this looks promising

    bugtracker error

  • Created my own cat file containing the /bin/sh command in the /tmp folder

  • Made this an executable and added /tmp to the $PATH

  • Now when I ran bugtracker again, my fake cat will be run as root which will put me in a shell as root

    Root shell