InfoSec LAB

Popcorn_Web

Created: 3 min read

Web

Nmap discovered a web server running on the target port 80

Webroot It appears to be the page for the default Apache installation

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/popcorn]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .html,.php,.txt 
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.6/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .html .php .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
index                   [Status: 200, Size: 177, Words: 22, Lines: 5, Duration: 3410ms]
index.html              [Status: 200, Size: 177, Words: 22, Lines: 5, Duration: 3413ms]
test.php                [Status: 200, Size: 47140, Words: 2474, Lines: 651, Duration: 43ms]
test                    [Status: 200, Size: 47128, Words: 2474, Lines: 651, Duration: 48ms]
torrent                 [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 31ms]
rename                  [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 30ms]
:: Progress: [882188/882188] :: Job [1/1] :: 774 req/sec :: Duration: [0:11:56] :: Errors: 1 ::

Fuzzing the web root reveals a few interesting files and directories

/test.php

the file is the output of phpinfo()

/torrent/

The /torrent/ directory appears to be a torrent hosting service

The footer indicates that the application is powered by Torrent Hoster, and it has an external link embedded to it. But the external link points to myanmartorrents. Change of name?

Login & Signup

There is a login section

Authentication Bypass

Testing authentication bypass with SQLi

It worked! Those parameters were vulnerable to SQLi

Admin Panel

Admin panel has a set of features. I checked out all of them and they either contains nothing or something that aren’t of any use. There is only one user, admin

About

The About tab also mentions that myanmartorrents. So I would conclude that myanmartorrents and Torrent Hoster is virtually the same or related entity.

There is a search bar

SQLi

Testing for SQLi

The web server returns a SQL error. It also shows the entire SQL query. The parameter is likely vulnerable to SQLi just like the login section

Browse

The Browse tab shows torrent files that are available for download There is a single file, and it’s Kali Linux image

Upload

The Upload tab features a file upload for torrent sharing It says that there is a script that retrieves the data from the tracker, which suggests the uploaded file gets opened by the script

Uploading a test file, kali.iso.torrent

The web server hangs for a while This must be what’s mentioned earlier about the script retrieving the data

After a while, I get re-directed to where the testing file is uploaded I can see screenshots and the Edit this torrent button

Edit this torrent

It would appear that there is another file upload feature for the screenshot

Uploading a test file; test.jpg

It says that the upload is completed and suggests to refresh to see the new screenshot

The new screenshot can be seen indeed

I may be able get code execution through here.

Interactive Graph View

Backlinks