HTB Retires: Popcorn

HTB Retires: Popcorn


Popcorn was very interesting box, took me a few days to complete, this is how i completed it.

First off as always, lets run some scans!


Screenshot from 2017-09-26 06-08-58.png

As we can see Port 80 and Port 22 are open.

Next i take a look at in the browser to see if i see anything interesting

Screenshot from 2017-09-26 06-09-39.png

Nothing interesting here, but after looking at the 'Nmap" scans i see "Apache http 2.2.12" is running

Lets see if there are any exploits for this:

Screenshot from 2017-09-26 06-15-07.png

Yes after running a search in Metasploit, severely exploits come up.  Nothing catches my eye as something to work. Lets continue to do some enumeration. Dirbuster is always a goo tool to use!


Screenshot from 2017-09-26 06-11-21.png
Kali Linux-2017-10-09-14-21-38.png

Once the scans are completed, I take a look at the Tree View results and see the extentison for 'Torrent'. lets take a look at that to see what we find!

Screenshot from 2017-09-26 06-17-33.png

When i visit the /torrent extension, I see a login page, I resiger and login then make my way to the uploads section of the page. Now to test to see if i can actually upload anything i download a copy of my favorite flavor of linux "Manjaro" to get the torrent.

Screenshot from 2017-09-26 06-27-42.png
Screenshot from 2017-09-26 06-33-43.png

Success! Now i see that i can edit the torrent to upload a image with the extension such as jpg, jpeg, gif etc

Screenshot from 2017-09-26 06-35-21.png

Before i submit the uploads, I run BurpSuite to see what i can capture.

Screenshot from 2017-09-26 06-41-50.png

Once captured, i can changehow i want to send the packet. I like to use a php payloads from PentestMonkey. After i edit the code i place it into BurpSuite before i send it off.

Screenshot from 2017-09-26 06-48-05.png
Screenshot from 2017-09-26 07-03-14.png

After the new modify code is placed in burpsuite and i change the extension to php. I forward the payload.

After you forward the payload, check the /torrents/uploads directory, which can be seen in your Dirbuster results. Then you will see the payload that you renamed in burpsuite uploaded there.

Before clicking on the upload, you have to start a listener such as Netcat. to catch the payload.


Screenshot from 2017-09-26 07-08-37.png
Screenshot from 2017-09-26 07-09-41.png
Screenshot from 2017-09-26 07-20-00.png

Shell yeah! nice shell i have now. After looking around i cat the user.txt file.

I check to see what version is running by using the uname -a command.

Next i search the internet for exploit that i can use against the kernel and i found a github with a ton of good sources.

Next i started a Simple server and wget the script to use it after i renamed it.


Screenshot from 2017-09-26 07-20-15.png

Now you can see the upload with wget is a win. Now let excute and get the root.txt

Screenshot from 2017-09-26 07-22-05.png
Screenshot from 2017-09-26 07-22-00.png