HacktheBox - Retired - Popcorn
Recon
I've been using threader 3000 for my recon scans lately. It's a threaded python scanner that does a quick up/down scan on all tcp ports. After the initial scan it suggests a nmap scan to run based on only the open ports found in the initial scan. I like it alot
I then convert the XML the tool generates into HTML to make it pretty.
Just two porst, a very old version of OpenSSH on port 22 and a very old version of Apache 2.2.12
Let's see what we can see on port 80
Just a page that says it's working.
So as part of web recon, we now can see what they want us to see, but how about other things that aren't part of this index.html that the web server is hosting?
For this we will do a directory/file brute force on the web server to see if it is indeed serving up anything other than just this index.html
GENERATED WORDS: 4612
---- Scanning URL: http://popcorn.htb/ ----
+ http://popcorn.htb/cgi-bin/ (CODE:403|SIZE:287)
+ http://popcorn.htb/index (CODE:200|SIZE:177)
+ http://popcorn.htb/index.html (CODE:200|SIZE:177)
+ http://popcorn.htb/server-status (CODE:403|SIZE:292)
+ http://popcorn.htb/test (CODE:200|SIZE:47337)
==> DIRECTORY: http://popcorn.htb/torrent/
---- Entering directory: http://popcorn.htb/torrent/ ----
==> DIRECTORY: http://popcorn.htb/torrent/admin/
+ http://popcorn.htb/torrent/browse (CODE:200|SIZE:9278)
+ http://popcorn.htb/torrent/comment (CODE:200|SIZE:936)
+ http://popcorn.htb/torrent/config (CODE:200|SIZE:0)
==> DIRECTORY: http://popcorn.htb/torrent/css/
==> DIRECTORY: http://popcorn.htb/torrent/database/
+ http://popcorn.htb/torrent/download (CODE:200|SIZE:0)
+ http://popcorn.htb/torrent/edit (CODE:200|SIZE:0)
==> DIRECTORY: http://popcorn.htb/torrent/health/
+ http://popcorn.htb/torrent/hide (CODE:200|SIZE:3765)
==> DIRECTORY: http://popcorn.htb/torrent/images/
+ http://popcorn.htb/torrent/index (CODE:200|SIZE:11356)
+ http://popcorn.htb/torrent/index.php (CODE:200|SIZE:11356)
==> DIRECTORY: http://popcorn.htb/torrent/js/
==> DIRECTORY: http://popcorn.htb/torrent/lib/
+ http://popcorn.htb/torrent/login (CODE:200|SIZE:8371)
+ http://popcorn.htb/torrent/logout (CODE:200|SIZE:182)
+ http://popcorn.htb/torrent/preview (CODE:200|SIZE:28104)
==> DIRECTORY: http://popcorn.htb/torrent/readme/
+ http://popcorn.htb/torrent/rss (CODE:200|SIZE:964)
+ http://popcorn.htb/torrent/secure (CODE:200|SIZE:4)
+ http://popcorn.htb/torrent/stylesheet (CODE:200|SIZE:321)
==> DIRECTORY: http://popcorn.htb/torrent/templates/
+ http://popcorn.htb/torrent/thumbnail (CODE:200|SIZE:1789)
==> DIRECTORY: http://popcorn.htb/torrent/torrents/
==> DIRECTORY: http://popcorn.htb/torrent/upload/
+ http://popcorn.htb/torrent/upload_file (CODE:200|SIZE:0)
==> DIRECTORY: http://popcorn.htb/torrent/users/
---- Entering directory: http://popcorn.htb/torrent/admin/ ----
+ http://popcorn.htb/torrent/admin/admin (CODE:200|SIZE:2988)
+ http://popcorn.htb/torrent/admin/admin.php (CODE:200|SIZE:2988)
==> DIRECTORY: http://popcorn.htb/torrent/admin/images/
+ http://popcorn.htb/torrent/admin/index (CODE:200|SIZE:80)
+ http://popcorn.htb/torrent/admin/index.php (CODE:200|SIZE:80)
==> DIRECTORY: http://popcorn.htb/torrent/admin/templates/
+ http://popcorn.htb/torrent/admin/users (CODE:200|SIZE:80)
There is a /torrent/ directory let's check it out
Some software called torrent hoster.
So we have a login on this page, one of the first things I like to do when I see a login is see if it uses some sort of default easy creds like admin/admin, admin/password, admin/123456 or some such super low hanging fruit. If those don't work then I try just some generic SQL injections to see if we can get in that way.
Exploit
Using this sqli for a username we were able to authenticate as admin
OK so this looks like a torrent repo, where we can list torrent files. We can upload a new torrent to list on the site…. This is juicy.. If we can upload we can try to exploit.
I tried to upload a generic python script as a torrent to see what would happen.
I downloaded and ubuntu torrent to try to upload.
Cool, we can upload torrents to a torrent site...ok
Ok we can upload a screenshot too
I tried to upload my avatar
Let's see if we can sneak some php by this upload filter.
My goal is to try and capture the upload in burpsuite and insert some php inline during the transfer.
So first let's fire up burpsuite and capture a legit upload of a picture.
Now we send that over to repeater in burpsuite.
Now we will edit the file name to be .php instead of .jpg
And insert our php code somewhere inside of the jpeg transfer
Here is the PHP we are inserting.
We get a 200 back from the server so it looks like we did upload successfully.
We should set up our netcat listener now
Now we just need to find a way to run the php we inserted.
Poking around we find the directory where it places these uploaded files
popcorn.htb/torrent/upload/
It renamed our file to some hash…. It appears to be a sha1 hash of the torrent we uploaded.
Ok, now if we click on the php hopefully we get our shell.
We did!! Congrats!
From here we can poke around and find that we can read the user.txt in the /home/george folder
I upgraded to a bit of better shell with python since this machine had python installed on it.
python -c 'import pty; pty.spawn("/bin/bash")'
I found this th_database.sql file in /var/www/torrent/database/
And it has this inside.
Looks like a md5 hash for the admin password. I just googled the hash and found that it is admin12
I tried to login with admin/admin12 on the torrent site and it doesn't work, I'm guessing the password had been changed after this file was created.
I looked up exploits for this version of linux and came across this one…
https://github.com/lucyoa/kernel-exploits/blob/master/full-nelson/full-nelson.c
So i downloaded a copy to my kali box and used nc to get it over to popcorn
Then used netcat on popcorn to xfer the file
Then all we need to do is compile using gcc
Comments
Post a Comment