Popcorn CTF Writeup
Table of Contents
ToggleThis is a writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Popcorn CTF from HackTheBox.
Popcorn CTF
Popcorn, while not overly complicated, contains quite a bit of content and it can be difficult for some users to locate the proper attack vector at first. This machine mainly focuses on different methods of web exploitation.
HackTheBox
Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.
Executive Summary
This Pentest report outlines the security assessment activities conducted on the IP address 10.10.10.6. The assessment uncovered several critical and moderate vulnerabilities, posing significant security risks to the tested infrastructure.
Introduction
This report details the findings resulting from the security assessment conducted on the target with IP address 10.10.10.6. The assessment aimed to identify vulnerabilities that could be exploited by a potential adversary to gain unauthorized access and compromise the security of the infrastructure.
Objective
The objective of this security assessment was to identify and exploit vulnerabilities in the target's infrastructure to assess the effectiveness of existing security measures and provide recommendations to mitigate the identified risks.
Requirements
- Identification of vulnerabilities in the web application hosted at IP address 10.10.10.6.
- Exploitation of critical and moderate vulnerabilities to assess potential exposure to attacks.
- Evaluation of the possibility of unauthorized access to systems and data.
High-Level Summary of Found Vulnerabilities
Directory Bruteforcing (Moderate): Hidden directories were enumerated through a directory bruteforcing attack on the web application. Implementation of security measures such as Web Application Firewalls (WAFs) and removal of unnecessary directories is recommended.
SQL Injection (High): A successful SQL injection vulnerability exploitation allowed unauthorized access to the database. The recommendation is to review and sanitize the application's code, using prepared statements and parameterized queries to prevent SQL injection attacks.
Authentication Bypass (High): Authentication was bypassed through an SQL injection vulnerability, granting access as an administrator without valid credentials. Implementation of proper input validation and robust authentication mechanisms is recommended.
Arbitrary File Upload (High): Exploitation of the file upload feature enabled the insertion of a malicious PHP shell, potentially allowing remote command execution. The application should rigorously validate uploaded files and bolster security controls.
Root Privilege Escalation (Extreme): A critical privilege escalation vulnerability was identified in the kernel, allowing an attacker to gain root privileges. Urgent kernel update is crucial to patch this security vulnerability.
Recommendations
- Implement a Web Application Firewall (WAF) to detect and block malicious directory enumeration attempts.
- Sanitize the application's code to prevent SQL injections, using prepared statements and parameterized queries.
- Strengthen authentication mechanisms, including proper input validation and multi-factor authentication.
- Thoroughly validate uploaded files, reject unauthorized formats, and enhance upload controls.
- Perform an immediate kernel update to address the privilege escalation vulnerability.
Methodology
Reconnaissance: The initial phase involved gathering information about open ports.
Enumeration: In this phase, Behind Security conducted an in-depth enumeration of the target system, identifying exposed services, web server directories, and potential entry points for further analysis.
Vulnerability Assessment: Automated scanning tools and manual techniques were employed to identify potential security vulnerabilities in the web application and server configuration.
Exploitation: Vulnerabilities that posed significant risks were further exploited to verify their impact on the system’s security.
Post-Exploitation: In the final phase, Behind Security attempted to escalate privileges and gain deeper access to the system, simulating real-world attack scenarios.
Color Legend
Console color legend:
Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity
Risk Classification
Independent Challenge - 10.10.10.6
export IP=10.10.10.6
Service Enumeration
IP Address | Ports Open |
---|---|
10.10.10.6 | TCP: 22, 80 |
Web Server Enumeration
Directory Bruteforcing
Vulnerability Explanation: Behind Security was able to enumerate the directory tree of the web server further by conducting a directory bruteforcing attack, leading to the discovery of hidden directories and a potential entry point.
Vulnerability Fix: To mitigate this vulnerability, the web server should implement security measures such as Web Application Firewalls (WAFs) to detect and block excessive or malicious directory enumeration attempts. Additionally, unnecessary hidden directories should be removed, and access to sensitive directories should be restricted.
Severity: Moderate
Steps to Reproduce the Attack: Execute the command: feroxbuster -u http://10.10.10.6 -w /usr/share/wordlists/dirb/common.txt -t 10 -d 3 -o scans/ferox-common
SQL Injection
Vulnerability Explanation: A SQL injection vulnerability was identified at http://10.10.10.6/torrent/login.php
. Behind Security successfully exploited this vulnerability using a tool named "sqlmap" allowing unauthorized access to the database. This presents a high security risk as it exposes sensitive information, including user emails and usernames.
Vulnerability Fix: To address this vulnerability, the application's code must be reviewed and sanitized to prevent SQL injection attacks. Prepared statements and parameterized queries should be used to ensure proper input validation and data protection.
Severity: High
Steps to Reproduce the Attack:
- Provide a single quote as the username and submit it to observe the SQL error.
- Execute the command:
sqlmap -u http://10.10.10.6/torrent/login.php --data "username=*&password=admin" --threads=10 --technique=E --batch
. - Dump the users table using:
sqlmap -u http://10.10.10.6/torrent/login.php --data "username=*&password=admin" --threads=10 --technique=E -T users --dump
.
Authentication Bypass
Vulnerability Explanation: A SQL injection vulnerability at http://10.10.10.6/torrent/login.php
enabled Behind Security to bypass authentication and log in as an admin (this attack also extends to every other user on the system) without valid credentials.
Vulnerability Fix: This vulnerability can be remediated by implementing proper input validation and authentication mechanisms. Input should be sanitized, and multi-factor authentication can be used to enhance security.
Severity: High
Steps to Reproduce the Attack:
- Visit
http://10.10.10.6/torrent/login.png
. - In the username field, input:
admin' or 1=1#
, along with a random password.
Initial Access - Arbitrary File Upload
Vulnerability Explanation: An attacker can replace a torrent icon with a malicious PHP shell, aiming to execute remote commands on the victim's machine. Successful exploitation requires bypassing the server-side "magic byte" check.
Vulnerability Fix: To address this vulnerability, the application should thoroughly validate uploaded files, ensuring they adhere to acceptable formats. Additionally, server-side validation should be augmented to prevent the bypass of security checks.
Severity: High
Steps to Reproduce the Attack:
- Log in as admin using the login form at
http://10.10.10.6/torrent/login.php
(useadmin' or 1=1#
as the username and any password). - Access
http://10.10.10.6/torrent/index.php?mode=directory
. - Click on the "Kali Linux" torrent that got uploaded in 2017.
- When a new window pop up, click to edit the icon.
- Behind Security used this php reverse shell to get a connection, but any php code is executable.
- Set up burpsuite proxy and capture the request trying to upload a legitimate png as the icon of the torrent.
- Replace everything but the "PNG" and the line break to php code.
- Edit the filename to end with .php and send it.
Post Exploitation
LPE to root
Vulnerability Explanation: The machine's kernel version, 2.6.31-14-generic-pae
, dates back to 2009 and is susceptible to the "Dirty Cow" vulnerability (CVE-2016-5195). This flaw enables an attacker with an unprivileged account to exploit the kernel and gain root privileges.
Vulnerability Fix: To mitigate this critical vulnerability, the system's kernel should be updated to a version that includes the necessary security patches.
Severity: Extreme
Steps to Reproduce the Attack:
- Confirm the kernel version using:
uname -a
. - Download the Dirty Cow exploit and transfer it to a writable folder (like /dev/shm) in the victim machine.
- Compile the exploit:
gcc -pthread dirty.c -o dirty -lcrypt
. - Execute the exploit:
./dirty
. - When prompted, set a password for the new user (e.g., "firefart").
- Log in using the new user credentials:
su firefart
.
Conclusion
We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon!
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.