Hack The Box - Popcorn

We are going to pwn Popcorn from Hack The Box.

Link : https://www.hackthebox.eu/home/machines/profile/4

Like always begin with our Nmap Scan.

Nmap Scan Results:

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.17 - 2.6.36 (95%), Linux 2.6.30 (95%), Linux 2.6.32 (95%), Linux 2.6.35 (95%), Linux 2.4.20 (Red Hat 7.2) (95%), Linux 2.6.17 (95%), Android 2.3.5 (Linux 2.6) (95%), AVM FRITZ!Box FON WLAN 7240 WAP (94%), Canon imageRUNNER ADVANCE C3320i or C3325 copier (94%), Epson WF-2660 printer (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP:

Looks like an normal webpage, Lets do Gobuster and see if anything interesting.

GoBuster Results:

Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.6
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/01/12 09:38:15 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/cgi-bin/ (Status: 403)
/index (Status: 200)
/index.html (Status: 200)
/test (Status: 200)
/torrent (Status: 301)
===============================================================
2020/01/12 09:40:05 Finished
===============================================================

/torrent Looks Interesting

I searched for any exploits available and got this one

https://www.exploit-db.com/exploits/11746

So it is an file upload vulnerability

So First we need to create an account

Account Successfully created and I started searching for any uploads available.

And found this , So I uploaded random .torrent file to see what we can do with it.

Once uploaded it shows me this page with an option for Edit this Torrent which is interesting.

There is an option to upload a picture as Screenshot. So we can try creating a image with reverse shell inside it.

I created a Payload with GIF89 which makes the file to look like gif image and saved it as shell.php.gif

While uploading I captured the intercept via burp and removed that .gif and Forwarded.

File Uploaded

Once uploaded I tried to view the image inorder to start our payload, by clicking on the image it opened.

Started my nc listener

Privilege Escalation

Its is an old kernel version.

Searched for the exploit available for this version and got Dirty Cow exploit.

https://www.exploit-db.com/exploits/40839

Uploaded it to the box and Followed the instruction.

New Account created as root

Got Root Flag.