hackthebox popcorn walkthrough

Start with nmap

Only two ports are open. Nmap reveals SSH and HTTP version. Lets use gobuster.

We found that the server is hosting torrent hoster.

hackthebox popcorn – torrent hoster

Check if we find any vulnerability using searchpolit.

Found one, but not sure how it works. Send me the link on how to use it in the comment.

In /torrent, we can register ourselves and upload a torrent file. We can get a torrent file from a simple search in Google. We registered ourselves and uploaded the torrent. To exploit the box, we then edited the screenshot (png file) and send it to burp suite.

In burp suite, append .php in the filename and after some portion of PNG content add your PHP code. We used default one in Kali Linux and set up a reverse-shell PHP file.

hackthebox popcorn – png file upload bypass

Send it and you will see the Upload completed. message.

hackthebox popcorn – png upload okay

The file is uploaded in upload directory. We can find our uploaded file there.

hackthebox popcorn – upload directory

Now listen on the port for shell and click on the PHP file. We will get the shell.

We can play around to find some fruitful information.

Using the above credentials we can log in to MySQL but it is of no use for us. Further looking for exploit I found this to be useful. We uploaded the c file and executed it to get the root.

You can read the flags if you want.

Leave a Reply

Your email address will not be published. Required fields are marked *