Popcorn write-up by Arrexel

@Arrexel on a roll with your writeups, great work :smiley:

Hi there,

when i run the bash 14339.sh script i get the following output.Is it something wrong inside the bash script?Please help

www-data@popcorn:/dev/shm$ chmod +x 1.sh

www-data@popcorn:/dev/shm$ bash 1.sh

OUTPUT

1.sh: line 2: it: command not found
[*] Ubuntu PAM MOTD local root
ERROR: User name does not exist.
********* simple selection ********* ********* selection by list *********
-A all processes -C by command name
-N negate selection -G by real group ID (supports names)
-a all w/ tty except session leaders -U by real user ID (supports names)
-d all except session leaders -g by session OR by effective group name
-e all processes -p by process ID
T all processes on this terminal -s processes in the sessions given
a all w/ tty, including other users -t by tty
g OBSOLETE – DO NOT USE -u by effective user ID (supports names)
r only running processes U processes for specified users
x processes w/o controlling ttys t by tty
*********** output format ********** *********** long options ***********
-o,o user-defined -f full --Group --User --pid --cols --ppid
-j,j job control s signal --group --user --sid --rows --info
-O,O preloaded -o v virtual memory --cumulative --format --deselect
-l,l long u user-oriented --sort --tty --forest --version
-F extra full X registers --heading --no-heading --context
********* misc options *********
-V,V show version L list format codes f ASCII art forest
-m,m,-L,-T,H threads S children in sum -y change -l format
-M,Z security data c true command name -c scheduling class
-w,w wide output n numeric WCHAN,UID -H process hierarchy
[-] a running sshd is a requirement


My script is copied-pasted from

I have also tried to copied-pasted from /usr/… folder but still the same output occured

I just ran into the exact same issue @gIaNtAtHoS. Send me a DM if you were able to fix it. Working through it now.

*Just noticed somebody ran dirtycow on the box. Reverting and trying again.

**Worked fine after reverting and using vi to create the script.

Hey,

I have an issue when I try to privesc with the PAM 1.1.0 method. Whenever I get the script through wget or copy/past it, when I run it, it asks for www-data’s password. I don’t understand why as I use the same code as the one from the write-up and/or Ippsec’s video. I tryed to reset the box and still asks for password. I’m puzzled.
Has anyone got this problem ?
Thanks for your help :slight_smile:

@Teuch said:
Hey,

I have an issue when I try to privesc with the PAM 1.1.0 method. Whenever I get the script through wget or copy/past it, when I run it, it asks for www-data’s password. I don’t understand why as I use the same code as the one from the write-up and/or Ippsec’s video. I tryed to reset the box and still asks for password. I’m puzzled.
Has anyone got this problem ?
Thanks for your help :slight_smile:

Same here +1

[*] Ubuntu PAM MOTD local root
[*] SSH key set up
[*] spawn ssh
www-data@localhost's password: 

@mir0sh said:

Same here +1

[*] Ubuntu PAM MOTD local root
[*] SSH key set up
[*] spawn ssh
www-data@localhost's password: 

+1

Yep, same problem here. Tried exploits about PAM, tried a local privesc kernel exploit in C too … tried through vi, tried switching to another shell (tcp backconnect python shell), tried uploading/downloading exploits to and from the Popcorn machine, tried a reset.

No luck yet, even if I get those exploits to run : I always get a prompt for www-data’s password.

I’ll work on an other machine in the mean time, maybe I need to clear my head of all those tries.

Don’t skip when reading a write up

@Arrexel said:
Run the exploit using bash 14339.sh or whatever you have it named as, enter toor as the password and we are now root! Grab the flag from /root/root.txt and call it a day.

and for people having trouble executing it (try to convert NL to CRLF)

i ran the exploit in all the above mentioned ways but its asking for www-data 's password.

Im burning in ■■■■ right now, trying to deal with this vi/vim/password nonsense. tried to transfer with wget and run, it just gives some stupid error. I just dont know how some boxes mysteriously do very strange things.

so the problem everyone’s having with this exploit is really easily fixed. Basically, it’s trying to overwrite both the passwd and the shadow file in the etc folder, but only succeeds in overwriting the passwd file. Luckily, to get root, you only NEED to overwrite the passwd file, so here’s what you do:
-change the ‘P’ variable in the exploit to this: ‘toor:peT.XxvLNbSrg:0:0:root:/root:/bin/bash’
-upload the file, chmod it, and run it
-when it asks for a password, just press enter until it stops asking for a password
-ssh in with user “toor” and password “password”
-do the root dance

Has there been an update on this? I’m still being asked for the www-data password.

Type your comment> @password1234 said:

Has there been an update on this? I’m still being asked for the www-data password.

Same here , I also modified the variable “P” as mentioned

but this is the output I’ve got says that i dont have permessions (publickey,password).

Same issue here. Really annoying if you follow the official guide and results differ. I was able to find another exploit that worked. SPOILER:

Got this from Exp1o1t9r’s Writeup: https://exp1o1t9r.com/2020/01/08/hackthebox-writeup-popcorn/

Same here, at least I am not alone.

I was also stuck on the www-data password prompt with 14339.sh.

I’m not sure why it “just works” in some cases, but I believe that my problem was the permissions on the /var/www/.ssh directory.

www-data@popcorn:/var/www$ ls -al /var/www/.ssh
total 16
drwxrwxrwx 2 www-data www-data 4096 May 13 17:59 .

SSH doesn’t like this directory being wide open; locking it down did the trick for me.

www-data@popcorn:/var/www$ chmod 700 /var/www/.ssh/

Source: Popcorn - Luniwiki

1 Like

Type your comment> @slartybartfin said:

I was also stuck on the www-data password prompt with 14339.sh.

I’m not sure why it “just works” in some cases, but I believe that my problem was the permissions on the /var/www/.ssh directory.

www-data@popcorn:/var/www$ ls -al /var/www/.ssh
total 16
drwxrwxrwx 2 www-data www-data 4096 May 13 17:59 .

SSH doesn’t like this directory being wide open; locking it down did the trick for me.

www-data@popcorn:/var/www$ chmod 700 /var/www/.ssh/

Source: Popcorn - Luniwiki

thank you for this! changing /var/www/.ssh access worked!

Just in case anyone’s still struggling with the whole password prompt thing:
The password prompt for www-data happens when the SSH connection is initiated. Since SSH Keys are created it should happen without a password prompt as is specified in the exploit’s source code Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2) - Linux local Exploit

The thing is openssh ignores keys if certain conditions aren’t met regarding the file / folder permissions.
So here are the ones I know of:
private key → 600
.ssh folder → 700
authorized keys → 640

What worked for me is replacing the following line in the exploit

mv "$KEY.pub" ~/.ssh/authorized_keys || return 1

by these lines

# mv "$KEY.pub" ~/.ssh/authorized_keys || return 1
cat "$KEY.pub"  >> ~/.ssh/authorized_keys || return 1
chmod 640 ~/.ssh/authorized_keys || return 1

Other permissions were already adequate so I didn’t bother with them.
Good luck!

Nice writeup!

Hi, why can’t I ever successfully upload a torrent? Thanks.