Popcorn

IP: 10.129.101.103 Completed on: February 13, 2021 Time took: 2.2 hrs

Enumeration

Running a version and default script nmap scan, we find port 22 and 80 open. Simple enough:

# Nmap 7.91 scan initiated Fri Feb 12 21:44:42 2021 as: nmap -T4 -sV -sC -p 22,80 -o scan-default-script_10.129.101.103_02-12 10.129.101.103
Nmap scan report for 10.129.101.103
Host is up (0.015s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb 12 21:44:51 2021 -- 1 IP address (1 host up) scanned in 9.26 seconds

Running a gobuster to find directories we find the following:

sudo gobuster dir -u http://10.129.101.103/ -w ~/SecLists/Discovery/Web-Content/raft-small-directories.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.129.101.103/
[+] Threads:        10
[+] Wordlist:       /home/defendergb/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/02/13 11:09:24 Starting gobuster
===============================================================
/test (Status: 200)
/index (Status: 200)
/torrent (Status: 301)
[ERROR] 2021/02/13 11:09:47 [!] Get http://10.129.101.103/server-status: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/rename (Status: 301)
===============================================================
2021/02/13 11:10:24 Finished
===============================================================

Initial Foothold

Let’s modify our /etc/hosts to add popcorn.htb hostname to allow virtual hosting:

Routing to http://popcorn.htb/torrent we find a Torrent Hoster web app, following the below article I was able to perform file upload bypass to upload a reverse php shell: https://infinitelogins.com/2020/08/07/file-upload-bypass-techniques/

First we will need to create an account: Email: defendergb@test.com Password: password1$

Now let’s select upload, since we will need a torrent file, I grabbed Kali Linux’s torrent from their website. Uploading it takes a few seconds so do wait:

Now that we have it uploaded, let’s upload a normal image file, click “Edit This Torrent’:

Now select Browse, and upload any image file:

Success message:

Now that we know it uploads successfully, let’s run Burp and use a reverse php shell. I am using Pentest monkey’s reverse php shell:

Now let’s upload the php file:

We get blocked by file upload filters, let’s take a look at the POST request. By modifying the Content-Type we are able to bypass the filter. Some filters also detect the actual file being uploaded, you could then copy the magic bytes of the image file you uploaded before and change the file name to include image type (ex: reverse-shell.php.jpg or reverse-shell.jpg.php) A good box to try this is Magic in HTB.

Refresh the page and click on the Screenshot, it will do an endless load. Make sure to have a listener running on your machine to capture the reverse shell:

Privilege Escalate

Nice we got into www-data. I ran the following command to get some initial information of the box:

$ uname -a && id

Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ cat /etc/passwd | cut -d: -f1
/usr/sbin
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
libuuid
syslog
landscape
sshd
george
mysql

Since we found a user george, I ran a find for files within home that I had access to with www-data: find /home -printf "%f\t%p\t%u\t%g\t%g\t%m\n" 2>/dev/null | column -t

Knowing that 1) Linux 2.6.31 is used and 2) there is a motd.legal-displayed file, we can find the following known exploits:

Dirty COW (vulnerable from 2.6.22 to 3.9)
Linux PAM 1.1.0 MOTD File Tampering Priv Esc exploit https://www.exploit-db.com/exploits/14339

Although I attempted 2, I was not able to get the exploit to create a toor account. I used Dirty COW (Known to break machines, please be cautious before using in production environments), and was easily able to exploit the machine.

Dirty COW

Following steps of dirty.c https://github.com/FireFart/dirtycow/blob/master/dirty.c I was able to exploit the machine and get root using created firefart user:

python -c 'import pty; pty.spawn("/bin/bash")'
www-data@popcorn:/$ su firefart
Password: pass
firefart@popcorn:~# cd /root
firefart@popcorn:~# ls
ls
root.txt
firefart@popcorn:~# cat root.txt
cb1db427708b3c6887b84dd479b6fe60

PreviousHaircut NextBlue

Last updated 3 years ago