Open in app

Sign in

Write

Sign in

HTB Popcorn Walkthrough

Hadi AL Halbouni
4 min readMar 28, 2021

Popcorn is one of the easiest Linux boxes on the HackTheBox, it runs Torrent Hoster web app which is vulnerable to file upload, and the kernel version of the running OS is vulnerable to DirtyCow, ًthat gives us root access when we exploit it.

We start with Nmap scan to check for open ports and services

nmap -sT -sV -sC 10.10.10.6
  • Port 22 runs OpenSSH 5.1p1
  • Port 80 runs Apache httpd 2.2.12

We start the HTTP enumeration, by navigating to the http://10.10.10.6

We get the default web page for the server.

Running Dirb on the box will give us some interesting results

The /index page contains the default web page for the server

The /test contains phpinfo

The /torrent contains a Torrent Hoster forum which is a forum for uploading and sharing Torrent files

We click on Sign Up to create an account (I tried to log in using default creds like admin:admin but I wasn’t able to log in)

Now we log in with our newly created account, we go to upload, and we upload a normal torrent file with .torrent extension

After uploading the file we see that we can edit it and add a screenshot to it

So probably we have a file upload vulnerability here

I have a PHP reverse shell, I renamed it to rev.php.jpg and I was able to bypass the extension restriction, and then I changed the name of it back to rev.php while uploading it using burp

I navigated to /torrent/upload and I found our PHP shell in it

I listened locally on port 4444 using Netcat, and my PHP shell was configured to connect back to my local machine on port 4444 and I got a shell on the server

ًWe upgrade our shell to TTY

python -c 'import pty;pty.spawn("/bin/bash");'export TERM=xterm-256color

The users on the server that have access to the shell are george, and root

we navigate to /home/george and we are able to read the user.txt

Privilege escalation to root:

I checked the kernel version, and there was a kernel exploit for it

I downloaded the exploit, then uploaded it to the victim machine using a python simple HTTP server.

and I compiled it using

gcc nelson-full.c -o nelson

When I ran it I became root

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

File Upload Vulnerability
Dirty Cow
Torrent
Htb Writeup
Oscp Preparation

--

--

Hadi AL Halbouni
Hadi AL Halbouni

Written by Hadi AL Halbouni

18 Followers
4 Following

Cybersecurity Analyst with a B.Sc in Software Engineering and 2 M.Sc degrees in Cybersecurity. Skilled in detection, response and passionate about red teaming

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams