Oopsie

7MB

Oopsie_Write_Up.pdf

pdf

TARGET IP --> 10.129.168.75

Task 1: With what kind of tool can intercept web traffic?

• A proxy is used to intercept web traffic.

Task 2: What is the path to the directory on the webserver that returns a login page?

• Run a quick nmap scan

nmap 10.129.168.75

• Looks like there is a web server on port 80 running and SSH is available. I then tried a more detailed version scan of the two ports.

nmap -sV -p 22, 80 10.129.168.75

• This shows that the web server is Apache.

• Next, I tried opening the Target IP on a web browser.

• Looks to be a basic bootstrap page with some information on it that may be important later on. All clickable links on the page redirect back to the home page.

  • admin@megacorp.com

  • Nothing to note in the source code except they stuck all of their CSS and JS in the HTML page which should be a criminal offense.

• Checking Wappalyzer confirms an Apache Web Server running on Ubuntu. It also shows the backend is powered by PHP.

• Let's run a gobuster scan to see what other directories are available.

  • A few 403s and several 301 (redirects)

• I checked out some of these.

  • Unfortunately, they all came back as forbidden which is weird.

• Next, let's use Burpsuite to find other directories on a subdomain.

  • First start by refreshing the page with FoxyProxy to capture the packet and map out some of the networks. If you switch to the Target tab, you'll notice that some familiar looking directories from our gobuster scan have popped up including a new one we have not seen before:

• The one I'm particularly interested in is the cdn-cgi/login directory listed. This is called spidering the network with Burpsuite.

Task 3: What can be modified in Firefox to get access to the upload page?

• A Cookie can be modified to validate we are a user to the system and allow us access.

Task 4: What is the access ID of the admin user?

• First start by checking out the page.

• I'm going to guess that one of the users is named admin but I do not know their password.

• I can sign in as guest though.

• Checking the source code shows that by clicking on this button it redirects me to the directory

  /cdn-cgi/login/?guest=true

• Catching the packet through burp shows us some interesting info.

• It shows that it has set user=2233 and role=guest. I might be able to change those to allow for admin access.

• Navigating to the uploads page specifies that I need super admin rights. I tried changing the cookies value of the user to equal 1 but that didn't work.

• Checking the rest of the website and going over to the Account tab gives me an interesting value in the URL:

http://10.129.168.75/cdn-cgi/login/admin.php?content=accounts&id=2

• It looks like the id=2 is set. I tried setting it to equal 1. This let's me see the admin's account. This includes their Access ID number which I'm going to assume is their user number from the cookies.

• Let's go back to the uploads tab and try putting this value in with the cookies. I utilized super admin:34322 for the cookies.

• 
• This gave me access to the uploads page.

Task 5: On uploading a file, what directory does that file appear in on the server?

• To start, I went ahead and set up a netcat listener on my host machine.

nc -lvnp 4444

• I then went and uploaded a php reverse shell script I have on hand.

• I want to capture the response to this, so I right-clicked on the capture and specified I want to capture the response.

• It looks like I needed to specify in the cookies when I uploaded the file. I'll try again.

• It looks like the file was uploaded but I didn't see where it got uploaded in the request or response. However, based on my gobuster scan, I know there is a directory called /uploads.

• Similar to what I did previously, I visited the /uploads directory but captured the packet this time and changed my cookies to show that I am super admin.

• Unfortunately, this still did not work as the page is showing as forbidden. However, I have a pretty good feeling that this is where the file got uploaded.

  • I'm eventually going to try the directory --> /uploads/reverse_shell.php, to see if I can just open the file.

  • This didn't work. Instead of using super admin as the role, I'll try just admin.

• I went back and tried uploading the reverse shell file again. This time though I changed my role to just admin. Everything seemed to work.

• I then went back to the directory: /uploads/reverse_shell.php and that seemed to work for me. I now have a reverse shell to the system.

Task 6: What is the file that contains the password that is shared with the robert user?

• After getting the reverse shell, I explored the system.

• I am currently logged in as www-data

• In the /home/robert/user.txt file I found the user flag:

  • f2c74ee8db7983851ab2a96a44eb7981

• I backed up and decided to explore more of the system.

• I discovered the web server files and eventually found a php script relating to a database that has Robert's account in there.

  • /var/www/html/cdn-cgi/login/db.php

<?php
$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>

• It looks like we have some credentials available --> robert:M3g4C0rpUs3r!

• We can then try to switch users to robert in our revers shell.

su robert

• That should now give us access to robert's account.

Task 7: What executible is run with the option "-group bugtracker" to identify all files owned by the bugtracker group?

• Next is to check what files have SUID priveleges.

find / -type f -perm -04000 -ls 2>/dev/null

• This outputs a lot of good info including one particular note:

• Bugtracker is a group that robert belongs to. We can confirm this by checking the /etc/passwd file.

• I tried running the bugtracker program but not getting useful. I tried help and man pages but wasn't getting anything. Every time I try an input, it tries to cat the input.

• However, it looks like I do have sudo privileges when running the process.

• I went ahead and created a new file in /tmp directory with /bin/sh

echo /bin/sh > cat

• I will then give execution privileges on the file.

chmod +x cat

• Next, I will add the /tmp directory to the PATH environmental variable.

export PATH=/tmp:$PATH

• I checked to confirm the path had the /tmp directory.

echo $PATH

• I can see the /tmp directory at the front.

• Next is to run the bugtracker executable in the /tmp directory.

• I now have root priveleges and can go look for flags.

• Back to the original question though, the executable I am looking for is find

Task 8: Regardless of which user starts running the bugtracker executable, what's user privileges will use to run?

• Since this gives me sudo privileges, I technically will be running everything as root

Task 9: What SUID stands for?

• Set owner user id

Task 10: What is the name of the executable being called in an insecure manner?

• When running bugtracker, it runs the executable cat

Capture User Flag:

• I found the user flag a while ago. See notes above:

  • f2c74ee8db7983851ab2a96a44eb7981

Capture Root Flag:

• Redirect over to /root/root.txt for the root flag.

• Since cat will not work, you will need to use something else like head.

head /root/root.txt

• af13b0bee69f8a877c3faf667f7beacf