PopCorn Walkthrough
Hey Everyone! Today we have the first medium retired machine from Hack The Box, and itβs called PopCorn. Before we get started, letβs take a look at its info


Itβs a good one and seems like a Real Life challenge.
Nmap Scan
Letβs start our scan with nmap
scan to know what open ports we have and where we will start our enumeration
nmap -A -T4 -oG popcorn.gnmap 10.10.10.6 | tee -a nmap

Good, we have 2 open ports 80 and 22
so letβs start with the website
Website Enumeration

we donβt have any useful information here, so letβs try to brute-force the directories by using gobuster
gobuster dir -u 10.10.10.6 -w /path/to/wordlist -l | tee -a gobuster

We have /torrent
directory, letβs check it

good, we have a Torrent Hoster webpage. At the end of this page

It depends on Torrent Hoster
and after searching for it

Iβve found that itβs vulnerable by remount upload vulnerability, letβs check its details

we have the vulnerable link, letβs check if itβs valid in our case or not

Itβs valid, but it requires us to be authenticated, so Iβve created an account for me, and you can create one also, itβs easy
User flag
After login as a normal user, we have an upload function

Iβve checked it in more than one way, but itβs not vulnerable, and it accepts only .torrent
files.
After uploading any test torrent file, Iβve found that I can upload an image as a screenshot related to the torrent file.

Letβs try to exploit it
Iβll upload a file with an extension .php.png

And Iβll intercept it and change the extension to .php

You can get this reverse_shell file from pentestermonkey github account
and the result is

It works, good
Letβs access the /upload
directory

We have our file here, we need to open 4444
port using nc
by typing nc -lvp 4444
and then open our shell file

We have a shell now, and we can open the user flag
Root flag
Iβve used linux-exploit-suggester
a script from GitHub to check for any kernel exploits which may lead us to be the root
and the results are

Awesome, we have a bunch of kernel exploits.
You can use anyone of them, and it will work, Iβve select rds
and after getting it to my box by using wget
command and open my kali
as a web server and also compiling it by using gcc
as you can see, it opens a root shell, and it works :)

And now we have the root flag β€
Congrats β€
Stay in touch
Last updated