Hack The Box — Popcorn: Walkthrough (without Metasploit)

David Tse
7 min readApr 1, 2021

Reconnaissance

As usual, do nmap scan.

# Nmap 7.91 scan initiated Wed Mar 31 21:55:15 2021 as: nmap -sC -sV -A -T4 -Pn -oN nmap.txt -v 10.10.10.6
Nmap scan report for 10.10.10.6
Host is up (0.044s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=3/31%OT=22%CT=1%CU=33140%PV=Y%DS=2%DC=T%G=Y%TM=60647F5
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=C7%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=8)OPS(O
OS:1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11N
OS:W6%O6=M54DST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R
OS:=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M54DST11NW6%RD=0%
OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)Uptime guess: 0.001 days (since Wed Mar 31 21:54:06 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 993/tcp)
HOP RTT      ADDRESS
1   68.28 ms 10.10.14.1
2   68.38 ms 10.10.10.6Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar 31 21:55:38 2021 -- 1 IP address (1 host up) scanned in 23.37 seconds

Enumeration

David Tse

Written by David Tse

72 Followers

Cyber Security Enthusiast | OSCP | OSWE

More from David Tse

Recommended from Medium

Lists

Staff Picks

Stories to Help You Level-Up at Work

Self-Improvement 101

Productivity 101