Popcorn machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full Scan
As a result of network scanning, 22/tcp ssh OpenSSH 5.1p1 and 80/tcp http Apache httpd 2.2.12 ports are open.
Since there is no vulnerability in the ssh port, we will continue on port 80. Since the http protocol is running, we will enumerate through the browser.
We are encountering the Default page from the source code in developer mode and we looked with the webanalyzer tool and got no results. We looked with Whatweb and got no results.
We scan with gpbuster to detect files and directories.
Gobuster Scan
As a result of the scan, we found the /index, /torrent, /test directories.
Only in the /torrent directory we found remarkable information
Here we are looking for potential attack vectors. Especially the uplaod section is a potential Shell installation site.
Sign up to create a user.
We have no restrictions when creating a user.
We created a user in the test user.
When I went to upload again, it asked for credential information, I logged in from the test user we created,
When I tried to upload my vpn file, it gave me an error because there was no torrent file.
Let’s try to upload torrent file here
Download the torrent file of Kali Linux
After downloading, let’s install torrent hostner
When we hover over the image, we see the /upload tab, let’s look at the upload section.
We could see the photo here. If we add a photo, does it fall here?
Let’s add a sample photo to understand this.
We added my photo here.
The photo screen has changed here
We’re refreshing the /upload directory and boom, there it is 🙂
Let’s see if we can add a revershell here then.
Here it says that the php file should be added to the image files that it did not accept.
Can we intercept and replace with burp suite?
Let’s try
First of all, we tried invalid file error, let’s see how the request goes here in ir png;
Content-Type: image/png
It looks like this.
When sending php file
Content-Type: application/x-php. When we edited it as png and sent it, it went away
Let’s check our shell in the upload directory;
Let’s listen with nc before we click on Shelle
We’ve got Shell
We have obtained our user fla.
We cannot access the root directory, we get a permiison denied error
We provide local enumeration to be root authorized.
We’ve completed the scan for Linpeas.sh.
There is something in the Linux kernel
We looked at the kernel using the uname -a command and we noticed an anomaly that was made in 2009
We googled this vulnerability.
Let’s dowloand it and install it on the target machine
We installed the exploit and then it asked us to set the user’s password, we assigned the user the pass password
Here we created the firefart user and let’s network with ssh
We got root privileges and we got our flag.