HTB - MAGIC
IP - 10.10.10.185
This box was a medium level linux box on HTB created by TRX, it started with a sqli in the login page which redirected us to an upload page. We use that upload page to upload a php reverse shell to the server which was a liltle pain as it was checking the file headers and extensions of the files getting uploaded. After getting a revshell we start enumeration. While enumerating the web directory we get the database creds in a file
mysql wasn’t installed on the box so we dumped the db using
mysqldump and finally got user. For root we ran linpeas on server and it stated we can run and read a file
/bin/sysinfo on the box and doing a bit on enum on that elf executable we figure out, it is calling some executables like
fdisk and running the with escalated perms so we ended up creating a python rev shell and name it
fdisk then we change the
PATH variable and then run
sysinfo executable to get root access on the box.
As always let’s start off with nmap script nmap -sC for default scripts
Alright, if it isn’t obvious yet I am a IPPSEC fanboi. Aight, firing up nmap to scan all open ports on the box.
And here is our nmap result
Open services SSH on port 22 and webserver on port 80. As there aren’t many attacks possible on ssh so I am gonna shift my focus on the web server.
Enumerating the web server
The site looks like a web service where authorized user can upload images.
Checking the info that wappalyzer extracted for us from the headers. It seems like the website has php on backend and webserver is apache, nmap also showed us that the webserver is apache.
Alright let’s run something on backend and start exploring the website, because we always want to keep some enumeration running
Told ya already, I am a ippsec fanboi. So firing up the gobuster scan to find hidden directories, and i am also looking txt and php files(incase we find some notes or some hidden webpage).
Alright coming back to the webpage we can see the text on lower left corner
login to upload images, I am guessing we can upload a php reverse shell on the box after logining in. Can’t find any creds or usernames on the website so i am trying basic sqli payloads. Alright it’s sqli injectable passing
' or 1=1 -- to both username and password field, And we get a login bypass which redirected up to the
Uploading a simple image to test the upload feature. Uploading the same image i used for this blog’s thumbnail.
We can see it get uploaded to the webpage on a path
http://10.10.10.185/images/uploads/magicthumb.jpg, That is
nameofthefileweuploaded.ext. Alright, time to try and upload a php reverse shell, i am using the one by pentest monkey, you can get it from here.
Alright it seems like it is doing a check for png,jpeg… images. let’s try to fool the server by adding
ÿØÿÛ as the first line of the shell, here we are trying to manipulate the file header so server accept it as image.
we still get the same error, renaming the file from
shell.php.jpeg and uploading it to the server.
Alright.. Opening up a netcat listener on our local machine
rlwrap nc -lvnp 9889and navigating to
http://10.10.10.185/images/uploads/shell.php.jpeg and the page starts endless loading, which is good sign, looking at our nc listner and looks like we got a shell on the server.
Trust me I wasn’t trying to sound like Ippsec.
Spawing a tty shell, I like to work with a tty shell so here is a cheatlist you guys can refer to get a tty shell.
First thing i usually do after getting a tty shell is running
linpeas.sh, but wasn’t able to anything intresting which
www-data can use to get a privesc to user. So on enumerating the
/var/www/Magic folder on the webserver we find a file
db.php5 which had the mysql database creds of user
I tried to use
mysql and funny, it wasn’t installed on the box, i quickly googled about ways to dump mysql database and got to know about a tool
mysqldump(funfact it was on the server).
... represents random(not usefull for us) content, alright so we got another password. So now we have one username
theseus(a user on box) and two passwords
su theseus tried both passwords and the correct creds were
Alright we got the user on box
Rooting the box
linpeas.sh on the server, if you don’t know about linpeas you can get it from their github repo. Basically it is a bash script that finds some privilage escalation vectors for us by performing basic recon. So on running we find this.
Intresting, on running file command we find that it is a elf executable theseus@ubuntu:~$ file /bin/sysinfo
Executed the binary to see what it is actually doing and seems like it is trying running some system checks, but to me it seems like it is running some system commands to get the result. Did a strings command to know more about the executable.
So seems like the executable is using commands like
fdisk, I am pretty confident that fdisk requires sudo perms to run.
Tried it on box and yes, fdisk requires sudo permission to run this implies the script is running lshw and fdisk as sudo/privilaged permissions. Hoping the executable is using relative paths we me move to the
/tmp directory and create a python3 reverse shell and name it
Next we need to export PATH variable as /tmp:(old PATH variable) so that when
sysinfo executable gets executed it searches for
fdisk in tmp directory first then in rest of the path.
Starting the nmap listener on local machine
nc -lvnp 9999. And then running
sysinfo executable on box.
Yeet we got a reverse shell with root.