search

PopCorn Walkthrough

Hey Everyone! Today we have the first medium retired machine from Hack The Box, and itโ€™s called PopCorn. Before we get started, letโ€™s take a look at its info

Itโ€™s a good one and seems like a Real Life challenge.

hashtag
Nmap Scan

Letโ€™s start our scan with nmap scan to know what open ports we have and where we will start our enumeration

nmap -A -T4 -oG popcorn.gnmap 10.10.10.6 | tee -a nmap

Good, we have 2 open ports 80 and 22 so letโ€™s start with the website

hashtag
Website Enumeration

we donโ€™t have any useful information here, so letโ€™s try to brute-force the directories by using gobuster

gobuster dir -u 10.10.10.6 -w /path/to/wordlist -l | tee -a gobuster

We have /torrent directory, letโ€™s check it

good, we have a Torrent Hoster webpage. At the end of this page

It depends on Torrent Hoster and after searching for it

Iโ€™ve found that itโ€™s vulnerable by remount upload vulnerability, letโ€™s check its details

we have the vulnerable link, letโ€™s check if itโ€™s valid in our case or not

Itโ€™s valid, but it requires us to be authenticated, so Iโ€™ve created an account for me, and you can create one also, itโ€™s easy

hashtag
User flag

After login as a normal user, we have an upload function

Iโ€™ve checked it in more than one way, but itโ€™s not vulnerable, and it accepts only .torrent files.

After uploading any test torrent file, Iโ€™ve found that I can upload an image as a screenshot related to the torrent file.

Letโ€™s try to exploit it

Iโ€™ll upload a file with an extension .php.png

And Iโ€™ll intercept it and change the extension to .php

You can get this reverse_shell file from pentestermonkey github account

and the result is

It works, good

Letโ€™s access the /upload directory

We have our file here, we need to open 4444 port using nc by typing nc -lvp 4444 and then open our shell file

We have a shell now, and we can open the user flag

hashtag
Root flag

Iโ€™ve used linux-exploit-suggester a script from GitHub to check for any kernel exploits which may lead us to be the root

and the results are

Awesome, we have a bunch of kernel exploits.

You can use anyone of them, and it will work, Iโ€™ve select rds and after getting it to my box by using wget command and open my kali as a web server and also compiling it by using gcc as you can see, it opens a root shell, and it works :)

And now we have the root flag โค

Congrats โค

Stay in touch

LinkedIn arrow-up-right| GitHubarrow-up-right | Twitterarrow-up-right

PreviousActive WalkthroughNextJewel Walkthrough

Last updated