# Oopsie

## Initial Scan

```nmap
sudo nmap -T4 -Pn -sV -sC -v 10.129.95.191 -oA Oopsie
```

<figure><img src="/files/4y8JiMSK3wdO2alkec81" alt=""><figcaption></figcaption></figure>

## Task 1

With what kind of tool can intercept web traffic?

<figure><img src="/files/ykB9C6DwcDmWpHV4A6tP" alt=""><figcaption></figcaption></figure>

Answer: Proxy

## Task 2

What is the path to the directory on the webserver that returns a login page?  Answer: /cdn-cgi/login

## Task 3

What can be modified in Firefox to get access to the upload page?

Answer: Cookie

## Task 4

What is the access ID of the admin user?

<figure><img src="/files/CyvvT9Zk2El6QBSiPhW7" alt=""><figcaption></figcaption></figure>

Answer: 34322

## Task 5

On uploading a file, what directory does that file appear in on the server?

<figure><img src="/files/Rjzi4SKS6zBDahMISur5" alt=""><figcaption></figcaption></figure>

Answer: /uploads/

## Task 6

What is the file that contains the password that is shared with the robert user?

<figure><img src="/files/Oks0IkEXriUQLN2rK8wK" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/tszMk5YuA14XmH7tdoZ4" alt=""><figcaption></figcaption></figure>

Upgrade to a functional shell:

```bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
```

&#x20;

<figure><img src="/files/uiQ6kTEeWT1O3xExPoKK" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/6F4wZsc6pWTjd8mggdbd" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/DE4zqlnQomlPJT7gVngy" alt=""><figcaption></figcaption></figure>

Answer: db.php

## Task 7

What executible is run with the option "-group bugtracker" to identify all files owned by the bugtracker group?

<figure><img src="/files/MSa3QzP5OqKxfbks4NcU" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Ko8xPjSmXXIZann3fWo9" alt=""><figcaption></figcaption></figure>

Answer: find

## Task 8

Regardless of which user starts running the bugtracker executable, what's user privileges will use to run?

<figure><img src="/files/c91rAtb6F60ZKLH81BHD" alt=""><figcaption></figcaption></figure>

Answer: root

## Task 9

What SUID stands for?

Answer: Set owner User ID

## Task 10

What is the name of the executable being called in an insecure manner?

<figure><img src="/files/j3YexvPq3mt8tXEUeqi4" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ZGkarCrvosQFRpiJAbTx" alt=""><figcaption></figcaption></figure>

Answer: cat

## Task 11

Submit User Flag

<figure><img src="/files/mYu2TZQJjVME4jacu0Yw" alt=""><figcaption></figcaption></figure>

Answer: f2c74ee8db7983851ab2a96a44eb7981

## Task 12

Submit Root Flag

<figure><img src="/files/SwwqGhxP230tYInPRkN1" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/oPEPEPE2CAMz3KD40N1N" alt=""><figcaption></figcaption></figure>

Answer: af13b0bee69f8a877c3faf667f7beacf


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cybersec.th4ntis.com/hackthebox/starting-point/tier-2/oopsie.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.