Open in app

Sign in

Write

Sign in

Magician TryHackMe Walkthrough

Musyoka Ian
7 min readFeb 21, 2021

--

Hello guys after two week of absence period am back again with another walkthrough. This time we’ll be tackling magician from TryHackMe which is an easy box so long as you though guessing out of the window. The box was released barely an hour ago and it starts of by finding an image tragick vulnerability exploit it to land a shell on the box as the magician user. Running linpeas you find out that there's a port 6666 that is only exposed to localhost forward the port to our local box and find it a web app that allows users to read files as root user. Use the web application to get the root flag and the box is done. Though it’s an easy box it’s kinda interesting and thanks to the creator of the box M0N573R777 and ripcurlz. Without much say let’s jump in.

As always we’ll start off with a nmap scan of the box. This will help us find any open port on the box

Looking at nmap results below you can see that we have only one port open

Port 8081 and it is running nginx. It’s been specified that we had the hostname to our hosts file so that’s the first thing i did before beginning to enumerate the web application.

Navigating to the webpage we get a standard web application that allow us to upload a PNG image and it is converted to a JPG

My first though was this web application was vulnerable to insecure file upload and am sure all pentesters know the drill. First i uploaded a legit PNG image and intercepted the request with burpsuite and forwarded the request to repeater

I started messing with the request to see if i could upload a malicious PHP file and just by changing the file name to PHP i found out that i could upload a file with a PHP extension

This led me down a rabbit hole for almost 20 minutes trying to make the web application execute my PHP script. My thinking was before this files are converted they probably should be stored on the disk. What if we hit the PHP file before it gets converted to something else using some sort of race condition

So i created a simple script that will hit the uploads directory of 100 time and if it finds the PHP script try and execute it

While the script was running in the background i tried i tried uploading the image with PHP as first as i could and going back to the script it just had 404 errors

After numerous failed attempts to perform a race condition i decided to take a step back and understand what the web application was actually doing. I was taking a PNG image and converting it to a JPG image. I tried to see if there were any web application that have had similar vulnerability in the past by googling the functionality of the web application

The first result that came up was on Image Tragick

And i know that image tragick has had a series of vulnerability lately and what makes it even better is that there are payload in PayloadAllTheThings repository already

I copied both of the payload to my working directory and started messing with them

The first payload just did a curl request to any domain or IP address the attacker specified

I changed the payload a bit by adding my IP address and decided to curl myself and if i get a connection back I’ll know the server is vulnerable to Image Tragick

I did set up a netcat connection on my box because i wanted to see the user agent of any inbound connection

Then uploaded the image

Going back to my netcat listener i had a connection

And looking at the screenshot above the user agent was curl meaning the web application was vulnerability to Image Tragick. Next step was getting a shell on the box for this i used a payload from PayloadAllTheThings again. Edited the IP address and listening port

Next i did set up a netcat listener

Then Uploaded the payload. Going back to my listener i had a reverse shell.

Sweet next i upgraded my shell to get a fully functional tty shell. Going to the users home directory i found the user flag and we had read access

We can submit the flag and earn the points. Next i downloaded linpeas to the box and ran it

After linpeas had finished running i decided to look at the output and one thing that stood out was that there was a port that was only listening to local host port 6666

I downloaded linpeas to the box and forwarded the port to my localbox port 9001

Now that the port had been forwarded to my local box i tried accessing the service from Mozilla

And it worked. The web application asked us to enter a filename. First i tried passwd file since all users had read access to the file

Then submitted the request and got and giant base64 blob

I copied it and decoded to on my terminal and funny enough i had the contents of passwd

Next i tried shadow file which i knew that only root user had read access

And got another base64 blob. On decoding it we got the contents of the shadow file. Sweet

Meaning the web application was running as root. What if we try reading the root flag

Looking at the screenshot above we get another base64 blob let decode using our terminal

We get the root flag. Sweet the box is done!!!!. We can submit our flags and get the points for the challenge. I never tried cracking the root user hash was satisfied with reading files but if it’s crackable you can get a root shell on the box. I hope you enjoyed the walkthrough if so make sure you follow me so that you don’t miss any upcoming article one which include the hacker one room writeups(if I’ll get some free time to write the walkthrough) from tryhackme and also clap for me down below. Till next time it’s goodbye

Imagetragick
Vulnerability
File Upload
Tryhackme Walkthrough
Magician

--

--

Musyoka Ian
Musyoka Ian

Written by Musyoka Ian

764 Followers
5 Following

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams