HackTheBox - Starting Point - Oopsie - Walkthrough

This is the second blog in our HackTheBox Series! We are going to be creating our own script here to enumerate account details from a website suing Python! Don't miss out! 

 # Oopise

----------------------------------
Target IP:- 10.10.10.28
-----------------------------------

Nmap Scanning:-

command:-  nmap -sC -sV -A  10.10.10.28

,,,,,,,,,,
open ports
"""""""""
1) 22
2) 80

,,,,,,,,,
service
'''''''''
1) ssh
2) http

,,,,,,,,,,,,
Versions
'''''''''''''''
1) OpenSSH ---------> 7.6P1
2) Apache httpd ----------> 2.4.29

,,,,,,
OS ----------> ubuntu
''''''

Gobuster Scanning:-

command:-   gobuster dir -u http://10.10.10.28/ -w /usr/share/wordlist/dirbsearch/

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.28/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/26 21:55:02 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 311] [--> http://10.10.10.28/images/]
/themes               (Status: 301) [Size: 311] [--> http://10.10.10.28/themes/]
/uploads              (Status: 301) [Size: 312] [--> http://10.10.10.28/uploads/]
/js                   (Status: 301) [Size: 307] [--> http://10.10.10.28/js/]    
/fonts                (Status: 301) [Size: 310] [--> http://10.10.10.28/fonts/] 

"""

Nikto Scanning:-

See nikto.log

http://10.10.10.28/cdn-cgi/login ------> File Found

Used Credentials:-
---------------
User:admin
Password:MEGACORP_4dm1n!!


*** We found a email in index page for the admin
 admin@megacorp.com


##################### Credentials ################

"""
Access ID    Name    Email
34322    admin    admin@megacorp.com
8832    john    john@tafcz.co.uk
"""

Used account_enum.py to enumetate the user from the account in the admin portal

SUPER USER FOUND !!!

User ID:-   86575
User Nmae:- super admin
Email:-     superadmin@megacorp.com

Changed our cookies and was able to go upload page in the management section as Super Admin

Upload webshell.php through the upload form.

Was able to exec to script through http://$IP/uploads/ page

We are in www-data.


Found Credentials:- /var/www/html/cnd-cgi/login/db.php
------------------
Username:robert
Password:M3g4C0rpUs3r!

SSH'd using robert's credentials and found this file in his home directory
_________
user.txt
---------
f2c74ee8db7983851ab2a96a44eb7981

Checked to see what groups robert was part of and found named bugtracker id

we did a quick search for all files beloging to that group
find / -type f -group bugtracker

We found a bugtracker program in /usr/bin that uses cat to access file in the /root/ folder all we have to do to become root was that cat to our won cat file
__________
root.txt
----------
af13b0bee69f8a877c3faf667f7beacf

Privilege escalation

REPORTS:-

If you connect to a site filezilla will remember the host, the username and the password (optional). The same is true for the site manager. But if a port other than 21 is used the port is saved in .config/filezilla - but the information from this file isn't downloaded again afterwards.

ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: filezilla 3.15.0.2-1ubuntu1
Uname: Linux 4.5.0-040500rc7-generic x86_64
ApportVersion: 2.20.1-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Sat May 7 16:58:57 2016
EcryptfsInUse: Yes
SourcePackage: filezilla
UpgradeStatus: No upgrade log present (probably fresh install)
------------------------

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<FileZilla3>
    <RecentServers>
        <Server>
            <Host>10.10.10.46</Host>
            <Port>21</Port>
            <Protocol>0</Protocol>
            <Type>0</Type>
            <User>ftpuser</User>
            <Pass>mc@F1l3ZilL4</Pass>
            <Logontype>1</Logontype>
            <TimezoneOffset>0</TimezoneOffset>
            <PasvMode>MODE_DEFAULT</PasvMode>
            <MaximumMultipleConnections>0</MaximumMultipleConnections>
            <EncodingType>Auto</EncodingType>
            <BypassProxy>0</BypassProxy>
        </Server>
    </RecentServers>
</FileZilla3>


You may also interested in:- Archetype Walkthrough