Initial scan of “Oopsie”:
Webpage:
I did some site map scanning using Burp, which found login form.
I could login as a guest
I noticed that URL contains argument with id=2. I changed it to 1 and I could see data of other user, although I still had privileges of guest. Access ID is used as a cookie value.
I changed both cookie values and I got access to upload page.
Shell has been successfully uploaded.
Go to: http:/RHOST_IP/uploads/shell.php to execute shell.
I found db data in /var/www/html subdirectory
This credentials worked for robert user. Afterwards I run linpeas and I found SUID file which can be run with root priveleges.
Reading content of this file I noticed that input field is without input sanitization.
I used semicolon to close current command and typed /bin/bash to spawn new shell with priveleges of file executor.
#Rooted