Popcorn PrivEsc (spoilers)

Hi folks,
Has anyone popped popcorn recently? I started it yesterday and got as far as www-data shell easily enough. I see there’s an exploit for PAM MOTD which I tried but am asked for a password for www-data account which I don’t have. I also don’t have a password for george.

I figured that would be my next step but for some reason (it was late and I was feeling lazy…) I checked the write ups by ipp and arrexel and there’s no mention of needing a password when they run the same exploit.

There’s also no mention of using the file renamer PHP script at /index.php but maybe that’s just the way they did it.

I’m just wondering really, has this box been changed since release/write up or is just something slightly different that I’m doing?

In more general terms, do boxes ever get modified after release?


Try ippsec’s video on youtube.

Thanks but I have l. As I said in my post, my experience is different from what is shown in ipp’s video and arrexel’s writeup and I’m wondering if it’s something I’m doing or if it’s possible the box has changed.

Posting this here as well:
Another exploit that works is (SPOILER):

Got this from Exp1o1t9r’s Writeup: https://exp1o1t9r.com/2020/01/08/hackthebox-writeup-popcorn/

Hi, why can’t I ever successfully upload a torrent? Thanks.