Popcorn HTB
IP
10.10.10.6initial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.6 | cut -d"/" -f1 | tr '\n' ','we have the following ports open
22,80Lets run a more in-depth scan of the ports
sudo nmap -sCV -p22,80 10.10.10.6 -oA nmap_resultsresults
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Did not follow redirect to http://popcorn.htb/
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
we can see the following
the domain name
popcorn.htbthe target is running apache version 2.2.12
SSH is open
Alright lets add the domain name to our hosts file
Let check out the web server
HTTP Port 80
we can see the following
we can see no content has been added yet
Lets perform some dir busting and see if we can find anything
we do find some directories
within
/test.phpwe find php information
we find `http://popcorn.htb/torrent/` which looks like a torrent hoster site
we find http://popcorn.htb/rename/ which gives us somekind of API syntax
Lets run feroxbuster again but specify to use php extentions
Nothing new
Let's create an account on the website once we have let's log in and now I want to inspect a possible upload vulnerability since we know the website runs off php we will use pentest monkey's php reverse shell and see if we can upload it
When we try to upload the file we get the following error This is not a valid torrent file When we look around the website we can see someone has already uploaded a kall.torrent file
Lets download a kali.iso file from kali.org and and see if we can replicate this, make sure you download it as a torrent
Now Lets upload this
it will hang for acouple of minutes
then we should see the following if successful
Notice there is an option to edit this torrent
Now we can upload a php reverseshell and editing the request with burp to gain a shell on the system
we will be using pentest monkey's php reverseshell, edit the file with our local ip and port
Now lets upload our shell.php
Now to bypass the upload restrictions in place we need to
change the filename from
shell.phptoshell.png.phpChange the Content-Type to
image/png
this should by pass any restrictions
start a nc listner
if we navigate to
http://popcorn/torrent/upload, we should see our php file
Now once we click on the file it will establish a connection back to our listner
Priv Esc via www-data
first lets upgrade our shell
we find a user on the system george Lets see if there is any hidden files in the /home/george directory
we can see the following
I haven't encountered motd.legal-displayed before after a bit of googling it is most likely there is a priv esc vector here
we can use the following script to escalate our privileges
So essentially
the vulnerability is related to the way the ~/.cache directory permissions are set during a user login process, particularly when the PAM ( Pluggable Authentication Modules) module is invoked.
what does this script actually do
Sets up the following variables
The script sets up variables for a temp user ('toor') and its corresponding password hash, this is the user we are going to access for root privileges
Checks prerequisites
The script will check for the presence of necessary commands
ssh, ssh-keygenand ensures that thesshdprocess is currently running
Backup and Restore Functions
residing in the script we have the
backupandrestorefunctions for backing up and restoring files. these functions are use to manipulate and later restore files like the~/.ssh/authroized_keysand~/.cache
Generate and Set Up SSH key:
The script generates an SSH key pair using
ssh-keygen. The public key is then placed in the~/.ssh/authorized_keysfile, this key is used for SSH auth later
Manipulating file ownership
The scriopt uses the
ownfunction to exploit the vulnerablity. It creates a symbolic link from the~/.cacheto critical system files (/etc/passwdand/etc/shadow). The script then attempts to SSH into local host using the generate SSH key
Final steps and cleanup
After attempting to exploit the vulnerability, the script removes the SSH key and exits. If sucessful, it prompts the user for the password "toor" to gain root access
Finally the final part of the script removes the temp user 'toor' from
/etc/passwdand/etc/shadowto cover its tracks
Alright lets execute the script on the system, Lets transfer it over to the target
localhost
use wget to download on the system
having troubles getting the script to work may have to do this manual way
We cant delete the ~/.cache directory as this is owned by george and not writeable
We can do this in the www-data directory, we just need to create a way to login in, we can use SSH ,
What we will do is create a .ssh directory in www-data home directory, and generate an RSA key pair
We can now copy the public key into authorized_keys and set the permissions
Now we if look in the directory we cant see .cache file
What we need to to is login via SSH with our new private key
copy your private key and set permissions
now we should be able to ssh into the machine
Okay this didnt work either hmm
Lets check the kernel version
We can see this version could be vulnerable to dirty cow exploit
we can grab the code from here
Lets copy and paste the code into the file dirty.c transfer it over and compile it on the target
python server
download to target
Now we compile it on the target
Now lets give it permissions and run it
it will hang for a while after a minute or so you can ctrl c out of it now we have access to the user firefart whom has root privileges
Last updated