Thursday, January 3, 2019

Popcorn


POPCORN

- Layout for this exercise:




1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Popcorn, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/




2 - ENUMERATION

- Popcorn's IP is 10.10.10.6:



- Scanning with Nmap:





- Connecting with the browser:




- Dirbusting the web server:




- There is an interesting directory torrent what holds a Torrent Hoster application:





- The Upload tab might be promising:




- A login form is presented to the user:





- Creating a new user whitelist:whitelist with Sign Up:









- Login as whitelist:





- Clicking Upload to upload torrent files:





- Downloading Kali's torrent file from the original repository:





 


- Uploading Kali's torrent to Popcorn:







- Changing category to Other/Other (otherwise the upload doesn't work):





- The upload is successful:







- Clicking the filename, it seems that the Screenshot can be edited by uploading new images with extensions like jpg, jpeg, gif, png:







3 - EXPLOITATION

- The exploitation attack consists on uploading an exploit to Popcorn's web server, running it and then getting a reverse shell connection.


- Creating an exploit with Msfvenom and saving it as exploit.php:







- However exploit.php will be probably filtered because it does not have an image extension:







- Let's intercept the submission with Burp:




- Submitting exploit.php:




- Let's focus in this line:



- Changing to:




- Forwarding:




- The submission is successful:




- Now, where has exploit.php been uploaded?

- Dirbusting the folder /torrent we find a directory called upload:







- Connecting to /upload we locate exploit.php:






- Now, setting a Meterpreter listening session:




- To run exploit.php just click it:




- The Meterpreter session is achieved:




 - Reading information about the system:







- Getting a remote shell:




- Improving the shell with:





- Going to /home and listing content:




- Going to user george's folder:




- Reading user's flag:





4 - PRIVILEGE ESCALATION

- Let's exploit the kernel in two ways:

4.1 - Dirtycow

- The kernel 2.6.31 is vulnerable to the exploit dirtycow.c:




- Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel, a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem.


https://en.wikipedia.org/wiki/Dirty_COW





- According to the instructions of dirty.c it creates a new user called firefart with a password provided by the attacker.

- Copying the exploit and storing locally at Kali:







- Transferring dirty.c to Popcorn:




- Compiling dirty.c by following the instructions:







- Running dirty and entering the new password hola:




- Switching to the user firefart:hola we get a remote root shell:





4.2 - Full-Nelson.c Local Privilege Escalation

- Also, the kernel 2.6.31 is vulnerable to the exploit 15704.c:





- Downloading 15704.c to Kali:





- Transferring exploit.php from Kali to Popcorn /tmp folder:







- Compiling 15704.c according to the instructions:







- Running the exploit a root shell is  achieved:





5 - CAPTURING THE FLAG

- Reading root.txt: