AdSense

Thursday, January 3, 2019

Popcorn


POPCORN

 - Layout for this exercise:


1 - INTRODUCTION

 - The goal for this exercise is to develop a hacking process for the vulnerable machine Popcorn, what is a retired machine from the Hack The Box pentesting platform:

 https://www.hackthebox.eu/




2 - ENUMERATION

 - Popcorn's IP is 10.10.10.6:

- Scanning with Nmap:



- Connecting with the browser:


- Dirbusting the web server:


- There is an interesting directory torrent what holds a Torrent Hoster application:



- The Upload tab might be promising:


- A login form is presented to the user:



- Creating a new user whitelist:whitelist with Sign Up:







- Login as whitelist:



- Clicking Upload to upload torrent files:



- Downloading Kali's torrent file from the original repository:

 
- Uploading Kali's torrent to Popcorn:





- Changing category to Other/Other (otherwise the upload doesn't work):


- The upload is successful:





- Clicking the filename, it seems that the Screenshot can be edited by uploading new images with extensions like jpg, jpeg, gif, png:





3 - EXPLOITATION

- The exploitation attack consists on uploading an exploit to Popcorn's web server, running it and then getting a reverse shell connection.


- Creating an exploit with Msfvenom and saving it as exploit.php:





- However exploit.php will be probably filtered because it does not have an image extension:





- Let's intercept the submission with Burp:
- Submitting exploit.php:


- Let's focus in this line:

- Changing to:


- Forwarding:




- The submission is successful:


- Now, where has exploit.php been uploaded?

 - Dirbusting the folder /torrent we find a directory called upload:





- Connecting to /upload we locate exploit.php:




- Now, setting a Meterpreter listening session:


- To run exploit.php just click it:
- The Meterpreter session is achieved:


 - Reading information about the system:





- Getting a remote shell:


- Improving the shell with:



- Going to /home and listing content:


- Going to user george's folder:


- Reading user's flag:



4 - PRIVILEGE ESCALATION

- Let's exploit the kernel in two ways:

 4.1 - Dirtycow

 - The kernel 2.6.31 is vulnerable to the exploit dirtycow.c:


- Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel, a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem.
https://en.wikipedia.org/wiki/Dirty_COW

- According to the instructions of dirty.c it creates a new user called firefart with a password provided by the attacker.

 - Copying the exploit and storing locally at Kali:





- Transferring dirty.c to Popcorn:




- Compiling dirty.c by following the instructions:





- Running dirty and entering the new password hola:
- Switching to the user firefart:hola we get a remote root shell:



4.2 - Full-Nelson.c Local Privilege Escalation

 - Also, the kernel 2.6.31 is vulnerable to the exploit 15704.c:

- Downloading 15704.c to Kali:



- Transferring 15704.c from Kali to Popcorn /tmp folder:





- Compiling 15704.c according to the instructions:
- Running the exploit a root shell is  achieved:



5 - CAPTURING THE FLAG

 - Reading root.txt:










Posted by at
Labels: