OSCP PREPROTİONS – HTB Popcorn

Popcorn machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Scan

As a result of network scanning, 22/tcp ssh OpenSSH 5.1p1 and 80/tcp http Apache httpd 2.2.12 ports are open.
Since there is no vulnerability in the ssh port, we will continue on port 80. Since the http protocol is running, we will enumerate through the browser.

We are encountering the Default page from the source code in developer mode and we looked with the webanalyzer tool and got no results. We looked with Whatweb and got no results.

We scan with gpbuster to detect files and directories.

Gobuster Scan

As a result of the scan, we found the /index, /torrent, /test directories.
Only in the /torrent directory we found remarkable information

Here we are looking for potential attack vectors. Especially the uplaod section is a potential Shell installation site.

Sign up to create a user.
We have no restrictions when creating a user.

We created a user in the test user.
When I went to upload again, it asked for credential information, I logged in from the test user we created,

When I tried to upload my vpn file, it gave me an error because there was no torrent file.

Let’s try to upload torrent file here
Download the torrent file of Kali Linux

After downloading, let’s install torrent hostner

When we hover over the image, we see the /upload tab, let’s look at the upload section.

We could see the photo here. If we add a photo, does it fall here?
Let’s add a sample photo to understand this.

We added my photo here.
The photo screen has changed here

We’re refreshing the /upload directory and boom, there it is 🙂

Let’s see if we can add a revershell here then.

Here it says that the php file should be added to the image files that it did not accept.
Can we intercept and replace with burp suite?
Let’s try
First of all, we tried invalid file error, let’s see how the request goes here in ir png;

Content-Type: image/png
It looks like this.
When sending php file

Content-Type: application/x-php. When we edited it as png and sent it, it went away

Let’s check our shell in the upload directory;

Let’s listen with nc before we click on Shelle

We’ve got Shell

We have obtained our user fla.
We cannot access the root directory, we get a permiison denied error
We provide local enumeration to be root authorized.

We’ve completed the scan for Linpeas.sh.

There is something in the Linux kernel
We looked at the kernel using the uname -a command and we noticed an anomaly that was made in 2009

We googled this vulnerability.

Let’s dowloand it and install it on the target machine

We installed the exploit and then it asked us to set the user’s password, we assigned the user the pass password

Here we created the firefart user and let’s network with ssh

We got root privileges and we got our flag.

Comments

  1. Szpiegowskie Telefonu

    Po wyłączeniu większości telefonów komórkowych zniesione zostanie ograniczenie dotyczące wprowadzania nieprawidłowego hasła.W tym momencie można wejść do systemu poprzez odcisk palca, rozpoznawanie twarzy itp.

  2. Szpiegowskie Telefonu

    Keyloggery są obecnie najpopularniejszym sposobem oprogramowania śledzącego, służą do pobierania znaków wprowadzanych z klawiatury. W tym wyszukiwane hasła wprowadzone w wyszukiwarkach, wysłane wiadomości e – Mail i treść czatu itp.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir