Popcorn(10.10.10.6)Hackthebox

My long day of work has finished me off.

1. Reconnaissance

Scan with nmap and the results, with help of following commands:

nmap -sV -sC 10.10.10.6.txt 10.10.10.6

NMAP scan results, we can see http running port 22, 80. We access open service 80.

Next step, we will start enumerating port 80 with DisBuster, Nikto, Gobuster.

The directory /test/ and /torrent (301 redirect).

We access two directory /test/ and /torrent

By pass form login use SQL Injection, running command : Admin’ or 1=1 — -

Login success user admin :)). The next step, upload file shell to the web.

File shell:

I’m starting the burp suite by repeating the same process of uploading while using burp as a proxy.

Result burp suite: Php file is here http://10.10.10.6/torrent/upload/47c0f740d96977e1bc9c01d6fd6d292df7a46671.php

We use command reverse shell: $ nc -v -n -l -p 1234 .

We need to upload file shell to the remote server…My often way to do this is to use SimpleHTTPServer.

2. Privilege Escalation

We can use command dowload file Linux Exploit Suggester 2 to the remote server.(Link here: https://github.com/jondonas/linux-exploit-suggester-2/blob/master/linux-exploit-suggester-2.pl)

Running file linux-exploit-suggester-2.pl and file LinEnum.sh gathering information.

=)) CVE- 2010–4258, CVE 2010–3850, CVE 2010–3849..Dowload file shell running to the remote server. (Link here: https://www.exploit-db.com/exploits/15704)

So easy =)) we can see file root.txt