Magic Writeup — HackTheBox
Made by RebornSec ®
This is amusing box made up preparing for the Halloween. So lets start the MAGIC.
Enumeration phase :
Let’s start with the Nmap scan :
[~] Nmap -sC -sV 10.10.10.185
As we can see http port is open. Let’s check it on the browser :
It seems like it a website that contain a gallery of photos, lets see the login page :
I tried the basic credentials but not working so i tried basic SQL Injection structure :
And BOOM upload page appears :
Uploading normal img.{imageextention}.php seems to not working so i used this script https://github.com/RebornSEC/RInjector to embed my php file into my image :
Preparing nc -nlvp 4444 i intercept the call back from the shell :
We want our shell to be interactive :
python -c ‘import pty; pty.spawn(“/bin/sh”)’
Now digging on i found some credentials in db.php5 in /var/www/Magic :
So we can use these credentials to dump the db of the host “Mysqldump” :
I got other credentials :
Now we SU as theseus with the new password we got Th3s3usW4sK1ng
And here we got our user.txt :
Root phase :
After long enumeration i found a way to root the box and it was simple but i looked too deep :
And the root.txt hash is inside rebornsec.txt. Congrats we got root :D