Hack The Box Popcorn


We can start the enumeration using nmap scan

nmap -sC -sV

The output shows that there are two ports open 22 (SSH) , 80 (HTTP)

 By visiting HTTP we get a It works page

Seems like there is no interesting so we can do further enumeration by doing a directory brute force

So there is a directory called torrent , By visiting this we have page called torrent hoster 

Now we can see that we have an upload page but we need an account by creating an account we can create a torrent 

By uploading an torrent file there is an option to add an image as a thumbnail

We can upload a php shell by uploading a php shell with an image extension and intercepting the request on burpsuite and changing the extension to php

By changing the gif extension to php the file gets uploaded and we can access it in the /uploads directory

Privilege escalation

There are two privilege escalation methods in this box 

  • First one is a kernel exploit 
Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation 

  • Second one is   
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation


Popular posts