HTB Popcorn Walkthrough
Popcorn is one of the easiest Linux boxes on the HackTheBox, it runs Torrent Hoster web app which is vulnerable to file upload, and the kernel version of the running OS is vulnerable to DirtyCow, ًthat gives us root access when we exploit it.
We start with Nmap scan to check for open ports and services
nmap -sT -sV -sC 10.10.10.6
- Port 22 runs OpenSSH 5.1p1
- Port 80 runs Apache httpd 2.2.12
We start the HTTP enumeration, by navigating to the http://10.10.10.6
We get the default web page for the server.
Running Dirb on the box will give us some interesting results
The /index page contains the default web page for the server
The /test contains phpinfo
The /torrent contains a Torrent Hoster forum which is a forum for uploading and sharing Torrent files
We click on Sign Up to create an account (I tried to log in using default creds like admin:admin but I wasn’t able to log in)
Now we log in with our newly created account, we go to upload, and we upload a normal torrent file with .torrent extension
After uploading the file we see that we can edit it and add a screenshot to it
So probably we have a file upload vulnerability here
I have a PHP reverse shell, I renamed it to rev.php.jpg and I was able to bypass the extension restriction, and then I changed the name of it back to rev.php while uploading it using burp
I navigated to /torrent/upload and I found our PHP shell in it
I listened locally on port 4444 using Netcat, and my PHP shell was configured to connect back to my local machine on port 4444 and I got a shell on the server
ًWe upgrade our shell to TTY
python -c 'import pty;pty.spawn("/bin/bash");'export TERM=xterm-256color
The users on the server that have access to the shell are george, and root
we navigate to /home/george and we are able to read the user.txt
Privilege escalation to root:
I checked the kernel version, and there was a kernel exploit for it
I downloaded the exploit, then uploaded it to the victim machine using a python simple HTTP server.
and I compiled it using
gcc nelson-full.c -o nelsonWhen I ran it I became root
