Popcorn # ENUMERATION NMAP: - 22: OpenSSH 5.1p1 Debian 6ubuntu2 - 80: Apache httpd 2.2.12 DIRB: - /test - /torrent - /torrent/login # ACTIVITY - created an account on the torrent server (x : xxxx) - tried to upload an empty .php file, but was errored out Warning: fread() [function.fread]: Length parameter must be greater than 0 in /var/www/torrent/upload.php on line 33 This is not a valid torrent file - this was an empty file created using the touch command - will try to create a payload with msfvenom, and use burpsuite to change the name, and allow the transfer. # FAIL - msfvenom created a php, which I was hoping to introduce to the system - the upload using burpsuite to change the name failed (must be checks on the upload files - Good!) # PASS - Had to install buildtorrent to create the .torrent file - After installing, I created a .torroent buildtorrent -a "http://pop.corn.com:4444/announce" Popcorn_reverse.php Popcorn_reverse.torrent 30687 : Popcorn_reverse.php hashing 1 pieces [==================================================] - The upload was successful with this file # RESEARCH - how do I access the files that I upload - folder called uploads is available - there's a screenshot option... maybe a picture with a payload? # EXPLOIT - create a php reverse shell (google) - upload a screenshot to the torrent description, use Burpsuite to change the name - Should be able to access the php from that uploads folder discovered earlier - open a listener with netcat, and try it out - NOTE: make the php file look like a png... put GIF89 at the front (google how to) - Click on the php to see if it gives a reverse shell # ACCESS - The reverse shell worked... the foothold is to upload a picture with reverse shell and change the name via Burpsuite # ENUMERATION - inside the system, go ahead and explore - found the config file for the torrent server (config.php) - found credentials for mysql # ENUMERATION - upload the linux-exploit-suggester.sh via SimpleHTTPServer - Privilege escalate if needed, but this concludes today's lesson!