Oopsie is a retired Linux HTB machine, it was fun and fell quickly, I didn’t take the best screenshots along the way but I’ll fill in most of the blanks as we go. As usual, the machine is retired on HTB and any flags are now refreshed.
Initial Recon showed just TCP:80 and TCP:22 open, so a small surface area to play with, I decided to go straight in with GoBuster using the common.txt file included with the Seclists package on Kali.
Another scan using a different wordlist from the same Seclist package I came across the cdn-cgi directory, naturally, I aimed gobuster with common.txt again.
The username is admin, the password is one that has been used on other HTB machines, I’m not going to share the password, we can’t upload as admin, I didn’t capture the page but we’re told to be superuser.
Let’s have some fun with Burp Intruder, see if we can find the superuser access ID.
With the shell uploaded we need only browser or Curl to it.
Next up is PrivEsc
The issue here and route for us, is that the “cat” command is being called without an explicit path “/bin/cat”, instead it relies on the PATH environment variable. We can exploit this with some simple path tampering (in the Windows world this is loosely equivalent to unquoted service paths), all we need to do is create our own “cat” and manipulate the PATH variable to force the Bugtracker app to use our “cat”.
You must be logged in to post a comment.