Today we’re going to solve another CTF machine “Popcorn”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services: SSH, HTTP
  • IP Address: 10.10.10.6
  • Difficulty: Easy

Weakness

  • Bypassing Image Uploading Restriction
  • Linux PAM 1.1.0

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Since we have an Port 80 and Apache let’s take a look at it.

Enumerating Directories

We have a page ‘It works!” Since we don’t have any other way to look around let’s take a look at the hidden directories.

For that you can use these tools.

  1. Dirb
  2. Dirbuster
  3. gobuster

etc..

We found our directory “http://10.10.10.6/torrent/” Let’s take a look,

Exploitation

So we have a torrent script running and after registration i found we can upload torrent file and screenshots. Since this script looks outdated let’s try uploading our shell and bypass image restrictions.

Let’s upload our torrent file.

After successfully uploading our torrent file we don’t have image uploading field let’s take a look at “My Torrents”

We can see now that we have an option to upload screenshots and that’s what we needed to move ahead. 🙂

Let’s try our luck and upload a shell.

Let’s create a php shell. We can use msfvenom for now but there’s many ways to do it.

So now we have a ‘shell.php’ but we have to upload an image. To do that we’re gonna rename our ‘shell.php’ to ‘shell.php.png’ for now and upload it and intercept via burp suite.

Let’s upload our shell and intercept via burp suite.

Change “shell.php.png” to “shell.php” and send the request.

Response after uploading shell.

After successfully uploading our shell we don’t know what’s the actual path it uploaded.

We have to run dirbuster inside torrent directory so we can enumerate more directories.

We got our directory ‘upload’ and let’s take a look at it.

So we got the reverse shell.

After getting a user we’re gonna move forward.

Privilege Escalation

Let’s get straight into getting root for that we normally do some basics findings and run privilege escalation scripts.

So for that we’re gonna ls -la on /home/george/

After taking a look at .cache we have a uncommon file.

We can also do ls -lAR

As it displayed we have an uncommon file inside .cache “motd.legal-displayed

After doing some google research we have our exploit! 🙂

Exploit: https://www.exploit-db.com/exploits/14339/