Popcorn
OS: Linux, Difficulty: Medium, IP: 10.10.10.6
Initial enumeration
# Nmap 7.80 scan initiated Mon Sep 30 20:55:45 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 22,80 10.10.10.6
Nmap scan report for 10.10.10.6
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.17 - 2.6.36 (95%), Linux 2.6.30 (95%), Linux 2.6.32 (95%), Linux 2.6.35 (95%), Android 2.3.5 (Linux 2.6) (95%), Linux 2.4.20 (Red Hat 7.2) (95%), Linux 2.6.17 (95%), Canon imageRUNNER ADVANCE C3320i or C3325 copier (94%), Epson WF-2660 printer (94%), AVM FRITZ!Box FON WLAN 7240 WAP (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 219.17 ms 10.10.14.1
2 221.41 ms 10.10.10.6
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 30 20:56:06 2019 -- 1 IP address (1 host up) scanned in 21.40 seconds
Only 2 ports are open and we don't have any credentials for the SSH port so the obvious choice will be to go after the web server and get all possible directory listings.
So we focus on the torrent directory and see what are we working with.
We have the option to login and signup, so we'll go ahead and signup and get an account to explore more vectors. After login we have the capability to upload a torrent file.
However, I was having trouble getting a new torrent file to upload, so I downloaded the already existing torrent file from the website and modified it using the following 2 tools, and verified if everything was fine and then was able to upload it.
After successful upload, I have an option to edit the torrent and add a screenshot to the description. This is the vector that I exploited to get RCE.
To by-pass the upload filter, all you have to do is intercept the request with burp and modify the file type to any of the image formats, I chose image/png and my PHP shell was uploaded successfully.
Once the shell is up, we can navigate to the /torrent/upload/ folder and lookout for a file with .php extension and we can run it to get our reverse shell.
User own
Root own
I ran Linux Smart Enumeration scripts and tried some manual intervention as well, however there was nothing left than to exploit the kernel itself, as it was pretty old Ubuntu 9.10. So I went with Full Nelson.
Learning outcome
Kernel exploits are not at all pretty, they are very unstable and makes life difficult. I had to reset the box 2-3 times before I got a working kernel exploit that popped the shell. So try to refrain from these as much as possible.
Another cool thing that I came across was the /rename page, that had some very interesting output. I saw no other writeup mention this, I am not sure of the reason but this vector potentially renders the whole torrent and bypassing it very easy.
Using this API we can leak all the source code of the /torrent or any other file for that matter.
And once the index file is moved from the torrent folder, whole folder becomes a huge index and you can use this to get source of all the files.
However, do note, to reverse the rename API effect by switching the parameters after each use, as not doing this will move out all the files and you'll be left with a non-working machine state and the final option will be to reset the box to get it working back again.
Last updated
Was this helpful?