Thursday, January 3, 2019



- Layout for this exercise:


- The goal for this exercise is to develop a hacking process for the vulnerable machine Popcorn, what is a retired machine from the Hack The Box pentesting platform:


- Popcorn's IP is

- Scanning with Nmap:

- Connecting with the browser:

- Dirbusting the web server:

- There is an interesting directory torrent what holds a Torrent Hoster application:

- The Upload tab might be promising:

- A login form is presented to the user:

- Creating a new user whitelist:whitelist with Sign Up:

- Login as whitelist:

- Clicking Upload to upload torrent files:

- Downloading Kali's torrent file from the original repository:


- Uploading Kali's torrent to Popcorn:

- Changing category to Other/Other (otherwise the upload doesn't work):

- The upload is successful:

- Clicking the filename, it seems that the Screenshot can be edited by uploading new images with extensions like jpg, jpeg, gif, png:


- The exploitation attack consists on uploading an exploit to Popcorn's web server, running it and then getting a reverse shell connection.

- Creating an exploit with Msfvenom and saving it as exploit.php:

- However exploit.php will be probably filtered because it does not have an image extension:

- Let's intercept the submission with Burp:

- Submitting exploit.php:

- Let's focus in this line:

- Changing to:

- Forwarding:

- The submission is successful:

- Now, where has exploit.php been uploaded?

- Dirbusting the folder /torrent we find a directory called upload:

- Connecting to /upload we locate exploit.php:

- Now, setting a Meterpreter listening session:

- To run exploit.php just click it:

- The Meterpreter session is achieved:

 - Reading information about the system:

- Getting a remote shell:

- Improving the shell with:

- Going to /home and listing content:

- Going to user george's folder:

- Reading user's flag:


- Let's exploit the kernel in two ways:

4.1 - Dirtycow

- The kernel 2.6.31 is vulnerable to the exploit dirtycow.c:

- Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel, a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem.

- According to the instructions of dirty.c it creates a new user called firefart with a password provided by the attacker.

- Copying the exploit and storing locally at Kali:

- Transferring dirty.c to Popcorn:

- Compiling dirty.c by following the instructions:

- Running dirty and entering the new password hola:

- Switching to the user firefart:hola we get a remote root shell:

4.2 - Full-Nelson.c Local Privilege Escalation

- Also, the kernel 2.6.31 is vulnerable to the exploit 15704.c:

- Downloading 15704.c to Kali:

- Transferring exploit.php from Kali to Popcorn /tmp folder:

- Compiling 15704.c according to the instructions:

- Running the exploit a root shell is  achieved:


- Reading root.txt: