AFZ-logo

JeeZy Blog

oopsie

Oopsie writeup

Task 1


With what kind of tool can intercept web traffic?

Answer : proxy

A proxy is an intermediary server that sits between a client (user) and the internet, forwarding requests and responses. It hides the client's IP, enhances privacy, and can filter or cache data.
Proxies are used for anonymity, bypassing restrictions, and improving network performance.
Also used for tools like BurpSuite to intercept and modify web traffic.

Task 2


What is the path to the directory on the webserver that returns a login page?

Performing a simple nmap we get 2 services :

oopsie_1

This task is implying we should enumerate the directories present in the webserver even the non-visible ones, let's use dirbuster :

oopsie_2

Here we use a wordlist from SecLists, mentionned in the Crocodile box and check for php, html and txt files.

oopsie_3

Looking at the results tree we clearly identify a repository with a login page

Answer : /cdn-cgi/login

Accessing the URL :

oopsie_4

Let's continue as Guest to get a better understanding of what is behind.

oopsie_5

Going through each tabs, the upload one (which should be interesting for us) is restricted.

oopsie_6

Task 3


What can be modified in Firefox to get access to the upload page?

If we manage to become admin using account linked cookies we will be able to use the upload page

Answer : cookie

Task 4


What is the access ID of the admin user?

Under the Account tab we reach this URL :

10.129.119.41/cdn-cgi/login/admin.php?content=accounts&id=2

The account informations displayed are ours (guest) :

oopsie_7

What if we change in the URL the id from 2 to 1 :

10.129.119.41/cdn-cgi/login/admin.php?content=accounts&id=1 oopsie_8

We have an IDOR here :

IDOR (Insecure Direct Object Reference) is a security vulnerability that occurs when an application exposes internal objects (like database records, files, or user accounts) through user-controlled input without proper authorization checks. This can allow attackers to access or modify data that they shouldn't have access to.

Answer : 34322

Checking the cookies we have stored in Firefox :

oopsie_9

Using the previous account informations we obtained, we modify the cookies :

oopsie_10

We have now access to the upload page.

Task 5


On uploading a file, what directory does that file appear in on the server?

By simply looking at the previous dirbuster output we can see there is a /uploads directory

Answer : /uploads

Let's try and upload a php script to get a reverse shell on the target, as always you can your own or use Revshells we already mentionned in the Three box writeup.

Start netcat so we can receive the connection and then visit the php script we uploaded on the webserver so it's executed :

oopsie_11oopsie_12

Task 6


What is the file that contains the password that is shared with the robert user?

oopsie_13

Answer : db.php

Let's use it to connect to the target via ssh :

oopsie_14

Task 7


What executible is run with the option "-group bugtracker" to identify all files owned by the bugtracker group?

Answer : find

The user robert is member of the group bugtracker (which explains this question) :

oopsie_15

Using find / -group bugtracker we get :

oopsie_16

Task 8


Regardless of which user starts running the bugtracker executable, what's user privileges will use to run?

oopsie_17

By looking at the file :


- Owner is root, group is bugtracker


- rws - Owner has read (r), write (w) and execute (s) with s meaning the SUID bit is set (explanation in the next task)


- r-x - bugtracker group has read (r) and execute (x) permissions


This means When any user executes bugtracker, it runs with root privileges (since root owns the file). However, only members of the bugtracker group can execute the file (robert is one of them)

Answer : root

Task 9


What SUID stands for?

Answer : Set owner User ID

In Linux, SUID is a special file permission that allows users to run an executable with the permissions of the file owner, rather than the user who runs it. This can be useful for programs that require elevated privileges to perform certain tasks, but it can also introduce security risks if not handled carefully.


=> When the SUID bit is set on an executable file, the process that runs the executable assumes the privileges of the file owner (usually root), not the user executing it. This is indicated by an "s" in the file permissions.


In our case robert will be executing the script as root.

Task 10


What is the name of the executable being called in an insecure manner?

Just by executing the bugtracker and using anything as input we have informations on what it does with the error thrown :

oopsie_18

Answer : cat

Task 11


Submit user flag

Answer : Found in the /home/robert directory

Task 12


Submit root flag

As often in challenges you have various ways to get the root flag, We will explain 2 of them, the first one is the quickest but you need to know the name and the location of the file you are looking for :

oopsie_19

An other way is to override cat :

oopsie_20

Here we are creating a cat file which will spawn a shell if executed, we make it executable and putting the folder where it is first in the PATH so it's executed in priority, then we launch bugtracker (therefore executing as root) and spawning a shell :

oopsie_21
AFZ-logoJeeZy Blog

© 2024-2025 JeeZy Blog