Popcorn (HTTP Request Tampering)

So this machine has mainly 2 ports open which are 80 and 22. Lets go to the http server and here we see that the server says its working and this is a blank page almost so lets do directory busting and we find out there is a directory called torrent and there we have a login form and a torrent downloading and uploader section but the upload section which is very intresting but we cant access it without logging in so lets try logging in with default credentials and i found none of them were working so i tried to make a new account with just random information and it worked and i can also upload .

I tried uploading stuff like php files and png files and stuff and the file type that was accepted is .torrent so lets try uploading a new .torrent file we can downlaod from somewhere and once its uploaded lets go to browse and click on the torrent and here we see an option to edit screenshot and then here we see that the only allowed formats are png,jpg and so .So lets try to manipulate and bypass these filters by trying to name the file shell.png.php and then it will bypass the first filter but we will still have to change the content-type in the http post request .

shel.png.php file will have a reverse shell from pentest monkey.

We can do that in Burp Suite by just intercepting the request before uploading the shell.png.php and then lets change and tamper the request in Burp Suite mainly we just have to change the Content-Type = image/png in our case and uplaoding the file which we can access now in the upload directory ip/upload/theweirdnumber.php

and before accessing it we have to listen on the port defined in the reverse shell with netcat.

nc -nvlp port

and then access the uploaded file which will give us a shell on nc listener .

and then its gonna be a bad shell so we can import tty and make it better.

python -c 'import pty; pty.spawn("/bin/sh")' /code

and its gonna get better so lets traverse to /home/george and cat the user.txt flag.

And then lets look around by doing ls -la we will see that in the cache directory there is a weird file called motd something.

lets searchsploit that and see if we get something and we do there is https://www.exploit-db.com/exploits/14339.

Which we can download or copy into a script locally and then host a python server and execute it on the target.Or you can try to copy the shell code to the target machine directly using vim or vi and then this exploit will create a account with root privellages for us with the username toor and password toor which we can use to login into ssh and then gg cat out the root flag.