Hack The Box

Oopsie

Web exploitation | session abuse | lateral privilege use

Overview: Compact web box that rewards methodical endpoint discovery, session handling, and practical post-auth abuse.

Recon: Initial enumeration identified a public web application with functionality split across standard and hidden routes. The useful path came from checking exposed functionality, response behavior, and access control assumptions rather than from brute forcing blindly.

Initial Access: The main foothold came from abusing weak authorization logic. By understanding how the application handled identity and role context, it was possible to pivot from a lower-privileged user workflow into an administrative path.

Privilege Escalation: Once authenticated access was obtained, the path centered on finding upload or execution opportunities that could be converted into code execution and then escalating through local weaknesses.

Security Notes: Oopsie is a good reminder that broken access control is often more damaging than a single vulnerable endpoint. Session trust, role validation, and server-side authorization need explicit enforcement.