Magic is a medium-rated Linux machine on the reputable penetration testing platform known as HackTheBox. The ultimate goal is to compromise this machine and gain root privileged access. In the write-up below I explain the steps I took to successfully gain root access to this machine. This one falls in the category of TJNull’s HackTheBox OSCP-like machines. So if you’re planning on taking the OSCP like me, this machine is good practice. The whole list of OSCP-like machines can be found here.
Reconnaissance
Let’s start with an Nmap scan, first I always like to run a full TCP scan on all ports in verbose mode. I then grab those results and use script scanning, for time saving purposes obviously. The result of the Nmap scan is pictured below.
The results show that there are only two ports open:
- Port 22 is running OpenSSH 7.6p1,
- Port 80 is running Apache httpd 2.4.29.
Let’s check out what’s actually running on port 80. Upon doing so we are greeted by the following web page:
It looks to be a website that displays an image gallery of some sort. In the bottom left of the page we see “Please Login to upload images”. This inclines that there’s an upload functionality for logged in users, which is of course always interesting to tamper with. Let’s follow the link and try to log in. Upon following the link we are greeted by this web page:
We didn’t find a register functionality so let’s just try some common credentials and injections on this login form. I usually always try some basic SQLi and LDAP injection. After trying some SQLi payloads, we seem to bypass the login mechanism with the following payload: admin ‘ OR ‘1. We are now presented with an upload function.
Seems like we can upload images, will these images be displayed on the home page? Let’s check by uploading an image of Yggdrasil. After selecting the image from my folder and pressing “Upload Image” we find my picture of Yggdrasil on the home page.
My thought process is to hide a PHP shell inside of a similar image and to then access this image so it executes the PHP code inside of it. For that we need to find the path to the uploaded image. When we right click on the image, we can choose “View image”, it then takes us to the following web page:
In the URL bar we notice that the path to all uploaded images gets stored inside of /images/uploads/<imagename>. This means that if we manage to trick the upload function into uploading an image with a PHP shell inside of it we can get code execution. For this purpose I’m gonna use exiftool.
A lot of times upload functionalities only allow certain types of files to be uploaded to the server. A weak implementation of file checking is only checking the file signature/magic bytes of the file. The magic bytes of a file are nothing more than just the first few bytes of a file which are being used to identify a file type. With exiftool we added PHP code inside of the exif data of this particular JPG file. Let’s check if the file bypasses the filter.
It seems that our malicious JPG file has been uploaded to the web server, let’s see if we can access the file using the path we found before.
Seems as though we can access our malformed JPG-file. We added PHP code so let’s see if we can actually execute commands.
We have code execution! Pictured below is the output of the “id” command. Now that we have code execution let’s get an interactive shell by starting up a web server on our own machine, hosting a PHP reverse shell. We then download this reverse shell onto the machine, set up a listener on our own machine and execute the reverse shell.
We got a callback! First let’s improve the shell to a fully interactive TTY and then start enumerating. Usually when I get a shell through a web application I first start my enumeration in the folder of the web application. In this folder we immediately spot something interesting, a file named “db.php5”. Upon opening the file we see some MySQL credentials.
Now that we have some MySQL credentials let’s check to see if MySQL is actually running on the machine.
It seems like local port 3306 is indeed open. Let’s try to connect using the credentials we’ve just obtained.
That’s interesting, port 3306 is listening but there is no MySQL client installed. What we can try to do now is to dump databases using mysqldump.
That worked! What’s interesting here is that we’ve got a username and password for the admin user. Let’s take a look which users are also on the box.
So we’ve got user theseus and root on the box. We’ve seen the name theseus before in the “db.php5” file. Let’s try our passwords on the user theseus.
We have now successfully switched to the theseus user on the box. Let’s grab the user flag from theseus’s home folder.
After doing some manual enumeration I couldn’t find any quick escalations to root so let’s download LinPEAS onto the box and run it.
After running LinPEAS we immediately find this SUID binary which is owned by root. This means that the binary will be executed with root privileges. LinPEAS states that the sysinfo binary executes cat, fdisk and lshw with a relative path. This means that we could potentially hijack this binary with our own rogue binary. Let’s give it a try by creating our own version of the cat binary, which holds a bash reverse shell. But first let’s check if LinPEAS didn’t give us a false positive by checking out the sysinfo file.
The output of the strings command on the sysinfo file indeed shows us that at least four native Linux binaries are being called without an absolute path. In theory this means we could just pick one, let’s keep it at cat. First let’s create our own rogue binary in our home folder and add our home folder onto the PATH environment variable.
In the figure above we see that first the PATH variable starts at /usr/local/sbin, this means that the OS will first start looking in this location for the binary that’s being called. Because we can control the PATH variable we just appended our own home folder to the PATH variable so it will start looking for the binary in our home folder first. If it finds the binary the code will be executed. Let’s set up a listener on our own machine on port 9001 and run the sysinfo binary that calls for cat.
After running the sysinfo binary, we get a connect back to our own machine as the root user. We have now owned this machine, let’s grab the root flag and call it a night.
This wraps up Magic, one of my favorite HackTheBox machines to date because of the techniques used to compromise this machine. I hope you enjoyed reading this and have learned something new, see you next time!
