Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…


Starting with port scan.

The scan shows port 22 (SSH) and 80 (HTTP) are open.

/rename/ gives as output:

/test/ gives as output the phpinfo file.

/torrent/ gives as torrent portal.

Because this is a web application I check searchsploit if there is a known exploit.

After checking the text file it looks like there is a upload vulnerability to exploit.
To enter the upload page you need to login….so a quick register is all it takes.

When I try to upload a php shell I get an error: “This is not a valid torrent file”.
Because it can take some time to run SQLmap I’m gonna run it while doing some more recon.

Got my own account and an admin. Unfortunately the admin password isn’t in my wordlist and also it isn’t to be found in crackstation.
Let’s get more info about /torrent/

That’s some good info to have for a bit later on.
To successfully upload a torrent file I just got a random file from the internet and uploaded it. When I go to the location of the upload I have to opportunity to change the logo for the upload. Hopefully this will give me the change to upload a working shell script.

There is a filter that only accepts jpg, jpeg, gif, png. So I altered the name of my shell.php to shell.png and ran Burp to capture the post request.
Then I adjusted the filename and changed it to php while leave the MIME type as it is (png). Then I started a listener on my kali box.
After that I found my upload in the /upload/ folder (like shown in the second gobuster scan).

First flag. Now for the root flag.

I uploaded an exploit suggester and it found some possible vulnerabilities.

One that quickly jumps out is the dirty cow exploit. But because this is a older Ubuntu I wanna check this first.

That looks like a nice one. It adds a temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow.
I uploaded it onto popcorn but to no avail. I just can’t get it to work.

Also just copying the code into vim isn’t working either. Time for another exploit.
After a very long search and a many tries the following exploit worked.

After all this trouble I checked some write-ups from others and noticed that my original attempt was the right one. But I can’t figure out why the scripts got busted during the transfer.
Maybe my choice of reverse shell had some drawbacks, but I need to follow up on that a next time.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.