HackTheBox: Popcorn

Welcome back Guys to another writeup on Hack the Box, machine named POPCORN.


So Lets start with Network Mapper (NMap scan). *This time I wont share complete output just the required content would be shared here.

 


 


So now lets check the web portal as port 80 is working.


So after seeing the webpage we should see which web directories are available for this web portal. So lets use Dirbuster for directory bruteforcing.


While the attack was going on I encountered an file named torrent. 


So lets check the webpage 


So encountering this webpage signup and login in the webpage and checkout all the possible tabs in this webpage.

Researching through got to know about Browse tab and upload tab, uploaded content is torrent file of kali linux and in upload tab we can upload torrent files.


So lets upload any torrent file and see what can be done to get remote code execution/reverse shell from this page.

So this is how was the response and then we would go to edit this torrent option for uploading our php reverse shell.php to get reverse shell.


Before submitting start the burpsuite and intercept the request, remember to change Content-Type: application/x-php to Content-Type: image/png.

After that you would get a notification on screen that screenshot has been updated, and we can refresh to see it. 

As we refresh on torrent page it shows no image file, so navigate the web url to http://10.10.10.6/torrent/upload/ .

After you see the uploaded php file start the listener on the port number mentioned in shell.php, and click on the php file in upload directory to get the reverse shell.

Here now you could find the user.txt, for root.txt we have to do the privileage escalation. For that lets try the tool for linux exploit suggester named les.sh

LINK: wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh

To send this file start a http.server on your local computer


After this check the ifconfig tun0 IP address and search that on browser url and search the les.sh file, copy the link and victim's reverse shell we got before and use wget command.


Hmm, so we cant write in user's profile so lets change the directory to /tmp, and try again.


Now firstly we have to change the mode of the file les.sh, for this try using chmod +x les.sh and the execute the command ./les.sh.

The list goes on with the vulnerabilities for this machine, we have to chose, try and execute.


This vulnerability was listed on 1st number so trying this would be better. Link for the execution and helping hand is provided already on the link mentioned in the details.

Get the file using command wget on your local file, and then use same command on victim pc for downloading on their machine. remember to keep http.server on for this file transfers.


Thats it!! Please write us to know any detailing.








Comments

Post a Comment

Popular posts from this blog

HackTheBox: Legacy

Image
Hello, and Welcome back on this blog, today we are going to do a walk-through for Hack The Box machine named LEGACY. So lets start with Network Mapper (NMAP) command for getting knowledge of this machine regarding open ports, OS versions, services etc. So rectifying output for this command. And from this output ports and services which is beneficial for us are as follows. As seen if we search the version of this windows on google then we could find the exploit like. And follow the steps to get reverse shell. So getting reverse shell be like Do note that we have had changed the LHOST IP to your local IP address after connecting to VPN that means your tun0 IP address. Do comment your thoughts.
Read more

HackTheBox: Beep

Image
 Hello Friends, welcome back to my blog for another writeup based on Hack The Box series for machine named BEEP. So starting with nmap scan,  We got output with many ports and their services. Lets check out the website as port 80/443 are open. Lets find out about the directories by brute forcing using gobuster. Here we could see the directory named vtigercrm, management portal if tried to access goes to index.php page. So when researched about the vtigercrm, we got to know about exploit db number 37637 LINK: https://www.exploit-db.com/exploits/37637 This machine is exploitable using LFI vulnerabilities as mentioned in exploitdb 37637 number exploit. Working through we get to know about //etc/amportal.conf%00&module-Accounts&action. Just view page source and it would give you sorted view. Gather all the password and usernames from the page source and save it in files username.txt and password.txt respectively. now we dont know the actual userid password so we can try br...
Read more

HackTheBox: Lame

Image
Hello Friends, Welcome to the first ever writeup on easy box released on 15th March, 2017 on Hack The Box named LAME. So lets start with Network Mapper command. (As stated below) So rectify the output of this command So as we can see we got 4 ports open in this machine as listed below. As you can see port no. 21 and 22 would need login user id and password so we wont bother there, and enumerate port no. 139 and 445. Were exactly port no. 139 does not mention us the version number we would go with port 445. Lets search version of services running on on port no. 445 that is Samba smbd 3.0.20-Debian . Going through we get to know about metasploitable tool, and how to use it for this vulnerability. LINK: https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script/   Using this we would try to gain reverse-shell. Note that RHOSTS is HTB's machine IP address, and LHOST is your machine IP address after using vpn which you can find using following command. We have got into the mac...
Read more