1. Enumeration
With that, we shall run dirbuster to check for possible directories
So the main directories we have are cgi-bin, doc, torrent and a php file called test.php
While cgi-bin yields nothing, test.php led us to phpinfo page which we will take note
torrent directory is the most interesting as it leads us to this page called torrent hoster
Even searchsploit has one exploit called Remount Upload
Trying Admin:admin does not work, and a Google search for default credentials did not yield anything as well. We could sign up, and perhaps find a way to upload a shell into torrent hoster
And we successfully registered an account
With that, the moment we log in, we are directed to a page which shows the torrent we have uploaded, which obviously will show nothing since we just created this account. But we know we can upload files, which is a good sign
2. Exploitation
Now we are in an upload page, and from the txt file we got from searchsploit earlier
We can tamper data or upload files, and find shells
Let’s try to upload a reverse shell php script
And oops, they do check if it’s a valid torrent file. But that’s not gonna stop us!
First let’s create a torrent file, https://kimbatt.github.io/torrent-creator/ – an online torrent creator. Since we can torrent anything, i will just use the same reverse shell php file and torrent it.
Now we successfully upload the torrent file! And look, we can upload screenshots, which probably require image extensions such as php or jpg, which we can reuse the same reverse shell script again, except that we can change the extension to a .png.php or .jpg.php to perhaps bypass the checks
Oh. An unsuccessful upload.
Looks like we have to power up Burp in order to modify the packet
So from Burp’s packet we could see why the file upload failed, because our content-type was not the correct file type, so we changed the application/x-php to image/png
And once we forward the modified packet, our upload succeeds
And when we open the screenshot (By clicking the Image File Not Found!)
We get our reverse shell! But not root!
3. Privilege Escalation
Hmm unable to see sudo -l, so we have to bring in our linuxprivchecker
So there is a user called george, and we have user.txt
In george’s folder, there is a second directory called .cache
And in it we have a file called motd.legal-displayed. A google shows that motd refers to message of the day
According to searchsploit, there are a total of 2 .sh files that are able to execute privilege escalation, based on the MOTD file alone! Great, looks like we are not in a rabbit hole
Here’s the first script, however, we have to re-ssh or log back into the shell to call the vulnerable MOTD code and then the particular file will be owned by me as the user. Sounds like a lot of trouble, plus we aren’t exactly root. Instead we just simply own the file. Not what we wanted though it is still a form of privilege escalation
The second script however, allows us to have a new root user called toor, with id 0. Now this is probably what we want as we want to own the entire machine rather than a single file
So we copy the script and try running it, and you will find a bad interpreter, which you can resolve using sed command
Next we try to see how we can transfer file to our exploited machine. wget works, so it’s great news.
Next we create a server
Alright, looks like we are unable to write into george’s directory. But we definitely can write into /tmp
Hmm wrong password.
It took awhile, but a search reveals that in order for the exploit to work, we have to check the permissions for the .ssh directory
So as you can see, mine was chmod 777
Change it to chmod 700
And now when you run the script, it works!
Verifying that the exploit works, as you can see, we have toor added at the end of the etc/passwd list
And… root!
I would say this box is not that easy, especially when the exploit script did not work initially. Had to spend quite a bit of research to find the “fix”. Getting the reverse shell, however, was fairly simple since little modification is required, and it is quite the standard way to do it!