HTB Retires: Popcorn
Popcorn was very interesting box, took me a few days to complete, this is how i completed it.
First off as always, lets run some scans!
As we can see Port 80 and Port 22 are open.
Next i take a look at in the browser to see if i see anything interesting
Nothing interesting here, but after looking at the 'Nmap" scans i see "Apache http 2.2.12" is running
Lets see if there are any exploits for this:
Yes after running a search in Metasploit, severely exploits come up. Nothing catches my eye as something to work. Lets continue to do some enumeration. Dirbuster is always a goo tool to use!
Once the scans are completed, I take a look at the Tree View results and see the extentison for 'Torrent'. lets take a look at that to see what we find!
When i visit the /torrent extension, I see a login page, I resiger and login then make my way to the uploads section of the page. Now to test to see if i can actually upload anything i download a copy of my favorite flavor of linux "Manjaro" to get the torrent.
Success! Now i see that i can edit the torrent to upload a image with the extension such as jpg, jpeg, gif etc
Before i submit the uploads, I run BurpSuite to see what i can capture.
Once captured, i can changehow i want to send the packet. I like to use a php payloads from PentestMonkey. After i edit the code i place it into BurpSuite before i send it off.
After the new modify code is placed in burpsuite and i change the extension to php. I forward the payload.
After you forward the payload, check the /torrents/uploads directory, which can be seen in your Dirbuster results. Then you will see the payload that you renamed in burpsuite uploaded there.
Before clicking on the upload, you have to start a listener such as Netcat. to catch the payload.
Shell yeah! nice shell i have now. After looking around i cat the user.txt file.
I check to see what version is running by using the uname -a command.
Next i search the internet for exploit that i can use against the kernel and i found a github with a ton of good sources.
Next i started a Simple server and wget the script to use it after i renamed it.
Now you can see the upload with wget is a win. Now let excute and get the root.txt