HTB Popcorn
HTB Popcorn Walkthrough
Lets start off with a nmap scan to see what ports are open

Looks like only SSH and HTTP is open so lets add popcorn.htb to our hosts file and go see the website

Going to the website, we get a generic “It works!” web page. Lets run gobuster and see if we can find anything else.

Gobuster brings back a few interesting directories. Lets take a look in /torrent first.

We are brought to this torrent hoster, lets make an account and see what we can do.

I found a upload page, but was not able to find a way to upload a php file. The only file I was able to get to upload, was a real torrent file.

After Uploading the torrent it brought me to this page. I was not able to figure a whole lot more out right now so I moved on to other directories I found. Lets move over to /rename

Looks like /rename is some sort of api we can use to rename files if we know their location. Lets test it out and see if we can rename a file

Trying to rename test.php brings back this error that shows us where this file is located. Lets reconfigure our request and try again.


After adding the full path we were able to successfully rename the file. Lets go back to the torrent file we uploaded and see if we can find a way to get a php file uploaded.

Going back to our upload, I was able to find a way to upload a screenshot. I renamed my webshell to web.png and was able to upload a php file as a png. Lets see if we can go to a /upload and see if we can find the file we uploaded.

In the upload folder we see 3 files, one of which is out php file. Lets craft a request in the rename api to change the name to what it should be. web.php

We now successfully have a webshell with remote code execution! lets upload a interactive shell and begin checking for a way to increase privilege.

From our shell we can see that we are still www-data, but we can still get the user.txt file in george’s directory. Lets upload a linux enumeration script and see if it has any suggestions to get root.

The script I ran is saying that we should try using a kernal exploit that you can find at https://github.com/lucyoa/kernel-exploits/tree/master/full-nelson
Lets upload the binary to the server and see if we can get root!

Looks like full-nelson worked! We were able to upload it and got root and able to get the root flag!
Filed under: HTB,Non-Metasploit - @ August 10, 2021 5:01 am