HackTheBox Writeup: Magic

Magic was a medium rated Linux box that required you to find a hidden upload function then bypass its upload restrictions to execute code and catch a shell as www-data. From here, creds for mysql were stored in plaintext, allowing you to dump the database and get more creds for the user Theseus. Finally a SUID binary did not use quoted paths and this was exploited to gain a root shell. I added magic.htb to /etc/hosts and got started.

Enumeration

nmap scan:

With no creds, let's check out http:

I clicked on the 'login' link:

After trying admin/admin and such, I decided to enumerate more with gobuster:

Initial Foothold

Upload.php looked juicy but it redirected when I tried to access it. I loaded up Burp, set it to intercept and changed the '302' shown below to a '200':

This worked and I was shown an upload interface:

I immediately tried to upload a php reverse shell but was booted back to the login. I checked Burp's history and saw the reason why:

Okay, let's see what a legit upload looks like:

Cat pic uploaded successfully:

I tried various things here - null bytes, double extensions (e.g. shell.php.jpg) and got nowhere. Eventually I googled around and found this article that detailed using exiftool to bypass file upload filtering. Sadly my notes here are spotty but I believe I did exiftool -Comment=$(cat webshell.php) meow.jpg, where webshell.php can be found here. I then renamed it to 'meow2.php.jpg', uploaded it, accessed it directly and was pleased to see it had worked:

Since the box is running php, I went with a php reverse shell:

With a netcat listener, I caught a shell as www-data:

User Pivot

There were some interesting files in /var/www/Magic:

There were plaintext creds in db.php5:

Those creds worked for mysql. Whoever left the 'all_databases.sql' saved me the trouble of doing it myself but I believe mysqldump -u thesus Magic -p would have dumped the database to that file. Within it, are another set of creds:

That password works for su:

User flag:

Privilege Escalation

I ran LinPEAS, which spit out a bunch of SUID files. One of them had a plausible name but I had never seen it before anywhere:

I ran strings /bin/sysinfo to take a peek at what it might be doing:

A bunch of commands (lshw, fdisk, cat, free) are being run without quoted paths and this is ripe for abuse. I chose free to be my victim and created a short bash reverse shell script named 'free' in /tmp:

I made it executable:

Now, the important step of setting the path to /tmp so that /bin/sysinfo would look there for free first:

I really should have done PATH=/tmp:$PATH so I could keep using standard commands without having to type their full path. Oops. Anyway, with that in place I ran /bin/sysinfo and with a netcat listener, I caught a root shell:

Root flag: