Elyse Ronzier

I’m curious, idk.

3 minute read

Enumeration/Recon

First steps: run Nmap against the target IP. Once there is confirmation of a website, start running gobuster/dirbuster.

HTB

Let’s explore these different directories real quick:

  • /index

Okay. Sure. Nothing useful here.

  • /test

This directory gives us A LOT of info on the website. Including the ability to upload files.

Foo
  • /rename

Not that useful for now. I’ll have to come back to it when I’ve done some more enumeration.

  • /torrent

Okay, so there was a lot more to play with here. We seem to have a fully fledge website, where I eventually discovered a login/register page.

Foo

Foothold/Exploitation

So I created a ‘test’ user which I used to log in with. Because we know that files can be supposedly uploaded, I went directly to the upload section. I didn’t accept the files I tested…

Do I actually have to upload a tor file? I mean, I guess that would actually make sense, considering the kali tor files I found. The easiest thing to do, is to do the exact same thing right? So I head over to Kali and get myself some of the spicy iso files.

HTB

I successfully uploaded the kali iso torrent file. And when I check out the settings of this new upload, I get an option to edit it. This option allows me to add a screenshot. This is probably the best place to pop in a little reverse shell.

Let’s first test that the feature works. Puppy time!

HTB

Right, so that works. Let’s try a simple php reverse shell, since the website is php based.

HTB

Hmm…that didn’t work. That’s okay though, so let’s try it a little differently. But before we try, we need to look through the OP lens of Burp Suite because there is probably some sort of filtering going that I can’t just counter with an extension change.

HTB

Burp shows me a few filtering potentials here. The first obvious one is the extension and then the content-type header maybe. So let’s manually change the content-type header in burp before forward the entire thingy.

A quick look up on stackoverflow tells me the header I need is ‘image/png’, so let’s try that!

HTB

It worked! Let’s go (hopefully) activate the callback.

HTB

Nice!

Enumeration/Recon as www-data

After some upgrading and exploring , we see a george directory.

HTB

Oh, and not only can we access it, but we can also read the user flag! Lovely.

Alright let’s find out more about George since we’ll most likely try to privesc into him. Let’s also look for some hidden files.

HTB

Okayyy, so a few things jump to my face. First, ‘sudo as admin successful’. Then the MOTD file. I remember both of those being options for privesc. Maybe…

I also see a mysql user in the /etc/passwd file, and some ssh directories. Many options.

Okay let’s start with the sudo as admin file to see if there are any privesc techniques out there. So, no…I was misremembering I guess.

Foothold/Exploitation to get Root

For the motd file I do see some exploit. On exploit db too, so that’s a good sign. Let’s try it out.

HTB

I was having issues using the tmp directory on popcorn, so I’ve moved to /dev/shm.

Wow, I am back and this took me a while with much debugging involved.

The exploit doesn’t seem to work at first glance since half way through the run it asks me for my current temporary www-data password. Which I don’t have… So after lots of googling and exploring the htb forums. I found someone explaining:

HTB
HTB

Nice. And then the exploit worked as described and got ourselves a nice root flag.

Box pwned!

You May Also Enjoy

Red Cross Writeup

4 minute read

NB: A few of these writeups are ones that I’ve had locally stored for a while, or done a long time ago. So in the interest of time, these will be more sparse...