3 min to read

HackTheBox - Magic

Featured image

Hello Guys , I am Faisal Husaini. My username on HTB is hulegu. Also join me on discord.

The IP of this box is 10.10.10.185

Port Scan

Running nmap full port scan on it , we get

placeholder

We got only 2 Open Ports , one for SSH and other for Web

Web

Running the IP in the browser

placeholder

We get a webpage with a lot of pictures, also on the down left corner we see a link to a Login Page

placeholder

We see we have a login option here, we try some SQLi Login Bypass techniques

placeholder

The Payload we used for password field

admin’or 1=1 or ‘’=’

placeholder

We see a file upload here , I tried multiple ways of bypassing the file upload restriction out of which one way worked for me

placeholder

So we just change the metadata using exiftool and put out PHP web shell and then upload it

placeholder

After uploading the file, we get the message of the successful upload like above pic

Now we access the file which we cant get from the link source in the main page

placeholder

Now we try to execute command and see if it works

placeholder

We got command execution successfully and now we move onto getting reverse shell and check the netcat listener

placeholder

We got shell as www-data and now we do our enumeration on the webroot directory

placeholder

We see a db.php5 file, looking at the code

placeholder

We see some credentials leading to some DB , when trying to use this for the user on the machine

placeholder

It fails, but we know that we had SQLi in the login page, we can copy the request and run SQLMAP against it

placeholder

We dumped credentials and now use the password for use theseus

placeholder

We are now user theseus and now we get the user flag

placeholder

Privilege Escalation

Checking the groups of the current user, we see that it is the group member of group users

placeholder

Checking any files or binaries with the group permissions of group users

We see that /bin/sysinfo has group permissions for users

placeholder

The binary wasn’t any ordinary binary so I just ran ltrace onto it and saw that the binary runs lshw and fdisk to provide hardware info and disk info, since there is no path mentioned for those 2 programs, we can potentially path hijack and use it for our own benefits

placeholder

Now we create our own binary named the same as the vulnerable one and then change the path so that our binary gets executed first instead of the original one

placeholder

After running sysinfo, we get a shell spawned and now we are root

placeholder

References

SQL Injection Authentication Bypass Cheat Sheet