search

Magic HTB

IP 

10.10.10.185

initial nmap scan 

sudo nmap -p- --min-rate 10000 10.10.10.185 | cut -d"/" -f1 | tr '\n' ','

Ports open

22,80

Lets run a more in-depth scan of the targets ports

sudo nmap -sCV -p22,80 -oA tcp_ports 10.10.10.185

results

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Magic Portfolio
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

what can we see

  • SSH is open

  • we have a HTTP web server Apache 2.4.29

  • ubuntu server

Let's check out the web server

Looks like

  • we have the ability to login in, but cant create an account

  • the ability to upload images

  • we can see GIFS and JPEG

Given the name of the box Magic could this be a reference to magic bytes, can we upload a reversehsell and bypass any restrictions using magic bytes? maybe

for good measures Lets run feroxbuster and create and account

feroxbuster

results

/login.php

we can see the following

Let's catch the request with burp and see if we can bypass auth

  • we do find SQLi injection that allows us to bypass authentication

this is what our request looks like

the query would look something like

  • as you can see we 1=1 condition always evals to True by passing the need for a valid username, and the -- - indicates a comment in SQL so everything after this is ignored (the password)

/upload.php

we are bought to /upload.php where we have the ability to upload a image to the server,

Let's consider a few things

  • php runs on the server, so we would want to run a php reverse-shell (pentest monkeys)

  • name of the box being magic, good indication that we will have to add a magic byte to the file so the server things we are sending a jpeg (could do this in burp)

  1. Lets set up our payload and shell

  • we will use pentest monkeys reverse-shell

Lets change the call back IP and port

set up our listner

  1. we need to edit the hex value of our file, we can use a tool like hexedit , we need to edit the first 4 bytes and replace them with that of a jpeg file

here is a list of 'file magic numbers'

from this list we can see the magic byte in hex is

Now we need to replace the first 4 bytes in a php reverse-shell to match of those above

Now we can edit the magic byte

our file is ready to be uploaded (we'll almost)

  1. While uploading our file lets catch the request with burp

Notice we added a .jpeg file extension, this should breeze past the restriction

  1. Now we just need to execute our reverse-shell, in the url bar

  • hmmm that did not go to plan

  • we bypassed the filters, but our php file is being treated as an image, we have no functionality

Lets try a simple cmd php webshell

same as before

  1. copy into our working directory

  1. edit the magic byte with hexeditor

  2. upload and catch with burp

  3. head over to

we can see the following

Lets see if we can get any system commands

  • we can send commands to the target server

awesome from here we can establish a reverse-shell

Now lets establish a connection using bash, within the url bar

we now have a shell on the system

Looking in the /var/www/Magic we can find db.php5 when we cat it out we can see possible credentials

if we look within the /home directory we can find the user theseus

lets see if we can access the account

  • no luck

Since we found credentials to a database would be goo practice to see if any ports are listening internally

we can see port 3306 (MySQL) and port 631 (most likely IPP Internet Printing Protocol)

Lets see if we can connect to the mysql database

  • unfortunately the MySQL command is not installed on the machine

lets see if we can find anything related to mysql

  • in among the output we do find something interesting

  • Looks like we have found some MySQL tools we can utilize more notably the /usr/bin/mysqldump

Lets see if we can dump the database

results

  • Looks like we may have found some valid credentials

since we have not found a admin user safe to say this could be user theseus password

  • which it is

Lets check for sudo privileges

  • we cant run sudo on the machine

Lets get some persistence on the machine via SSH

  1. Lets generate our ssh keys (local machine)

  1. lets create a authorized_keys file on the targets .ssh directory, and copy our public key over

  1. Now lets give our private key the appropriate permissions and see if we can log in via SSH

we now have access via SSH

When searching for SUID files we can see something interesting

we find an odd program

checking the permission shows

we can see anyone within the users group and execute this program

since we are part of the users group we can execute the command

running the command

it just output a bunch of system information

but its odd lets run the tool along with ltrace which prints out the calls made outside of the binary

looking through the output we can see something interesting

popen is another way to open a process on linux, but the interesting part is that the binary is making a call to fdisk , but its not specifying the full path, which leaves this binary possibly vulnerable to path hijacking

Lets test this theory

  1. Let's create a reverse-shell in the /dev/shm directory and save it in an executable file fdisk

  1. Lets start a listener and execute the file to see if it attempts a connection back to us

  • we can see we have a successful connection back to the target server

  1. Now we can update our current path to /dev/shm

  1. Now when we run sysinfo, it should execute fdisk where our reverse-shell resides, and we should gain a reverse-shell as root

  1. if we look back at our shell we should be root

Previousdevvortex HTBNextBizness HTB

Last updated