Popcorn HackTheBox Walkthrough

Matthew

1. Enumeration

With that, we shall run dirbuster to check for possible directories

So the main directories we have are cgi-bin, doc, torrent and a php file called test.php

While cgi-bin yields nothing, test.php led us to phpinfo page which we will take note

torrent directory is the most interesting as it leads us to this page called torrent hoster

Even searchsploit has one exploit called Remount Upload

Trying Admin:admin does not work, and a Google search for default credentials did not yield anything as well. We could sign up, and perhaps find a way to upload a shell into torrent hoster

And we successfully registered an account

With that, the moment we log in, we are directed to a page which shows the torrent we have uploaded, which obviously will show nothing since we just created this account. But we know we can upload files, which is a good sign

2. Exploitation

Now we are in an upload page, and from the txt file we got from searchsploit earlier

We can tamper data or upload files, and find shells

Let’s try to upload a reverse shell php script

And oops, they do check if it’s a valid torrent file. But that’s not gonna stop us!

First let’s create a torrent file, https://kimbatt.github.io/torrent-creator/ – an online torrent creator. Since we can torrent anything, i will just use the same reverse shell php file and torrent it.

Now we successfully upload the torrent file! And look, we can upload screenshots, which probably require image extensions such as php or jpg, which we can reuse the same reverse shell script again, except that we can change the extension to a .png.php or .jpg.php to perhaps bypass the checks

Oh. An unsuccessful upload.

Looks like we have to power up Burp in order to modify the packet

So from Burp’s packet we could see why the file upload failed, because our content-type was not the correct file type, so we changed the application/x-php to image/png

And once we forward the modified packet, our upload succeeds

And when we open the screenshot (By clicking the Image File Not Found!)

We get our reverse shell! But not root!

3. Privilege Escalation

Hmm unable to see sudo -l, so we have to bring in our linuxprivchecker

So there is a user called george, and we have user.txt

In george’s folder, there is a second directory called .cache

And in it we have a file called motd.legal-displayed. A google shows that motd refers to message of the day

According to searchsploit, there are a total of 2 .sh files that are able to execute privilege escalation, based on the MOTD file alone! Great, looks like we are not in a rabbit hole

Here’s the first script, however, we have to re-ssh or log back into the shell to call the vulnerable MOTD code and then the particular file will be owned by me as the user. Sounds like a lot of trouble, plus we aren’t exactly root. Instead we just simply own the file. Not what we wanted though it is still a form of privilege escalation

The second script however, allows us to have a new root user called toor, with id 0. Now this is probably what we want as we want to own the entire machine rather than a single file

So we copy the script and try running it, and you will find a bad interpreter, which you can resolve using sed command

Next we try to see how we can transfer file to our exploited machine. wget works, so it’s great news.

Next we create a server

Alright, looks like we are unable to write into george’s directory. But we definitely can write into /tmp

Hmm wrong password.

It took awhile, but a search reveals that in order for the exploit to work, we have to check the permissions for the .ssh directory

So as you can see, mine was chmod 777

Change it to chmod 700

And now when you run the script, it works!

Verifying that the exploit works, as you can see, we have toor added at the end of the etc/passwd list

And… root!

I would say this box is not that easy, especially when the exploit script did not work initially. Had to spend quite a bit of research to find the “fix”. Getting the reverse shell, however, was fairly simple since little modification is required, and it is quite the standard way to do it!

Published by Matthew

Currently a final (fourth) year student in NUS (National University of Singapore) and an intern in GOVTECH Singapore. (Will be ending in early Dec sobs. T_T) , major in Information Security and thinking about whether or not to minor in Forensic Science. (YES. It's a vast difference) [EDIT: I decided not to minor in Forensic Science for no particular reason. Really.]