Hacker lair Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.

HTB Popcorn Linux

Burpsuite and linuxenum is all what you need to pwn Popcorn!

Recon

Nmap Scan

Nmap scan report for 10.10.10.6
Host is up (0.021s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /test/: Test page
| /test.php: Test page
| /test/logon.html: Jetty
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-server-header: Apache/2.2.12 (Ubuntu)
  1. Gobuster scan
    Gobuster v1.4.1 OJ Reeves (@TheColonial)
    =====================================================
    =====================================================
    [+] Mode : dir
    [+] Url/Domain : http://10.10.10.6/
    [+] Threads : 10
    [+] Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
    [+] Status codes : 204,301,302,307,200
    =====================================================
    /index (Status: 200)
    /test (Status: 200)
    /torrent (Status: 301)
    /rename (Status: 301)
    =====================================================
    

Nikto scan

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.6
+ Target Hostname:    10.10.10.6
+ Target Port:        80
+ Start Time:         2019-10-30 13:15:22 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.12 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 43621, size: 177, mtime: Fri Mar 17 13:07:05 2017
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.12 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Retrieved x-powered-by header: PHP/5.2.10-2ubuntu6.10
+ /test: Output from the phpinfo() function was found.
+ OSVDB-112004: /test: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /test: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ /test.php: Output from the phpinfo() function was found.
+ /test/: Output from the phpinfo() function was found.
+ OSVDB-3092: /test/: This might be interesting...
+ OSVDB-3233: /test.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /test/index.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /test/php_info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 8674 requests: 0 error(s) and 49 item(s) reported on remote host
+ End Time:           2019-10-30 13:19:35 (GMT-4) (253 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nikto reveals the path for the php info file

While gobuster reveals the directory - torrent

Exploitation Burpsuite

First I try some password guessing but did not work. However I tried some SQLinjection bypass…and I was able to access the web app

We find a potential location to place a reverse shell on the upload image of the torrent file We use Burpsuite to modified the php file extension to bypass the extension rule.

Content-Type: application/x-php
Content-Type: image/png

I decide to use the reverse php shell from pentestmonkey to get a shell to get.

  • Optional you can createa php meterpreter payload and use it as well

Privilege Escalation 1 “Full-Nelson”

  • Base on the Linux kernel 2.6 I compile and use:
    (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation 15704.c
    

Privilege Escalation Method 2 DirtyCow

You can also escalate this machine using the infamous exploit dirtycow too.

'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation 40839.c

FLAGS

 ROOT  "f122331023a9393319a0370129fd9b14" 
 USER  "5e36a919398ecc5d5c110f2d865cf136"