📦 HTB - Magic

<time datetime="2020-08-20 14:00:00 +0000 UTC">20 August 2020</time>·543 words·3 mins· 0 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"> <path fill="currentColor" d="M288 32c-80.8 0-145.5 36.8-192.6 80.6C48.6 156 17.3 208 2.5 243.7c-3.3 7.9-3.3 16.7 0 24.6C17.3 304 48.6 356 95.4 399.4C142.5 443.2 207.2 480 288 480s145.5-36.8 192.6-80.6c46.8-43.5 78.1-95.4 93-131.1c3.3-7.9 3.3-16.7 0-24.6c-14.9-35.7-46.2-87.7-93-131.1C433.5 68.8 368.8 32 288 32zM432 256c0 79.5-64.5 144-144 144s-144-64.5-144-144s64.5-144 144-144s144 64.5 144 144zM288 192c0 35.3-28.7 64-64 64c-11.5 0-22.3-3-31.6-8.4c-.2 2.8-.4 5.5-.4 8.4c0 53 43 96 96 96s96-43 96-96s-43-96-96-96c-2.8 0-5.6 .1-8.4 .4c5.3 9.3 8.4 20.1 8.4 31.6z"/></svg> · 0 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"> <path fill="currentColor" d="M47.6 300.4L228.3 469.1c7.5 7 17.4 10.9 27.7 10.9s20.2-3.9 27.7-10.9L464.4 300.4c30.4-28.3 47.6-68 47.6-109.5v-5.8c0-69.9-50.5-129.5-119.4-141C347 36.5 300.6 51.4 268 84L256 96 244 84c-32.6-32.6-79-47.5-124.6-39.9C50.5 55.6 0 115.2 0 185.1v5.8c0 41.5 17.2 81.2 47.6 109.5z"/></svg> · <button id="likes_button" class="rounded-md border border-primary-400 px-1 py-[1px] text-xs font-normal text-primary-700 dark:border-primary-600 dark:text-primary-400" onclick="process_article()"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"> <path fill="currentColor" d="M47.6 300.4L228.3 469.1c7.5 7 17.4 10.9 27.7 10.9s20.2-3.9 27.7-10.9L464.4 300.4c30.4-28.3 47.6-68 47.6-109.5v-5.8c0-69.9-50.5-129.5-119.4-141C347 36.5 300.6 51.4 268 84L256 96 244 84c-32.6-32.6-79-47.5-124.6-39.9C50.5 55.6 0 115.2 0 185.1v5.8c0 41.5 17.2 81.2 47.6 109.5z"/></svg> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"> <path fill="currentColor" d="M244 84L255.1 96L267.1 84.02C300.6 51.37 347 36.51 392.6 44.1C461.5 55.58 512 115.2 512 185.1V190.9C512 232.4 494.8 272.1 464.4 300.4L283.7 469.1C276.2 476.1 266.3 480 256 480C245.7 480 235.8 476.1 228.3 469.1L47.59 300.4C17.23 272.1 0 232.4 0 190.9V185.1C0 115.2 50.52 55.58 119.4 44.1C164.1 36.51 211.4 51.37 244 84C243.1 84 244 84.01 244 84L244 84zM255.1 163.9L210.1 117.1C188.4 96.28 157.6 86.4 127.3 91.44C81.55 99.07 48 138.7 48 185.1V190.9C48 219.1 59.71 246.1 80.34 265.3L256 429.3L431.7 265.3C452.3 246.1 464 219.1 464 190.9V185.1C464 138.7 430.4 99.07 384.7 91.44C354.4 86.4 323.6 96.28 301.9 117.1L255.1 163.9z"/></svg>  Like </button> · <a href="https://github.com/OxNinja/blog" class="text-lg hover:text-primary-500" rel="noopener noreferrer" target="_blank" title="Edit content" > <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M490.3 40.4C512.2 62.27 512.2 97.73 490.3 119.6L460.3 149.7L362.3 51.72L392.4 21.66C414.3-.2135 449.7-.2135 471.6 21.66L490.3 40.4zM172.4 241.7L339.7 74.34L437.7 172.3L270.3 339.6C264.2 345.8 256.7 350.4 248.4 353.2L159.6 382.8C150.1 385.6 141.5 383.4 135 376.1C128.6 370.5 126.4 361 129.2 352.4L158.8 263.6C161.6 255.3 166.2 247.8 172.4 241.7V241.7zM192 63.1C209.7 63.1 224 78.33 224 95.1C224 113.7 209.7 127.1 192 127.1H96C78.33 127.1 64 142.3 64 159.1V416C64 433.7 78.33 448 96 448H352C369.7 448 384 433.7 384 416V319.1C384 302.3 398.3 287.1 416 287.1C433.7 287.1 448 302.3 448 319.1V416C448 469 405 512 352 512H96C42.98 512 0 469 0 416V159.1C0 106.1 42.98 63.1 96 63.1H192z"/></svg> </a >

HTB htb writeup

Author

0xNinja

mov al, 11

Table of Contents

TL;DR #

HTTP redirect bypass (unintended 😁), PHP code execution through file upload to get a reverse shell. User with hardcoded SQL credentials on server, privesc with custom binary with no $PATH check.

As I am an idiot, I reinstalled my distribution without making a backup of my files 🙈 So I don’t have any screenshot or payloads I used for this box to show you

Footholds #

With a basic nmap we found only two ports: 22 and 80.

The running web server seems to be a portfolio, we can also note a login page for the administrator.

Entry point #

Admin page #

I thought it would be great to access this admin page, but I did not found any valid credentials to log myself in. What I did instead was:

Use BurpSuite to intercept my requests to the /admin page
Change the 302 -> /login redirection code to 200 -> /admin on response
Now got access to the page without login-in

Of course after reading other solutions, this one was really unintented, the ’normal’ way was to make an SQL injection in the login form.

File upload #

Now that we are on the admin page, we can upload some pictures in order to display them on the homepage. The first thing that came to my mind was to upload a PHP reverse shell:

If we upload it and visit it we got our nice reverse shell working!

User #

We are in the machine, but need to privesc as a user. Looking in the server’s directory I found an intersting db.php5 file:

1class Database
2{
3    private static $dbName = 'Magic' ;
4    private static $dbHost = 'localhost' ;
5    private static $dbUsername = 'theseus';
6    private static $dbUserPassword = 'iamkingtheseus';

We try to log as the mentioned user with the given password. It does not works. Maybe it is some valid SQL credentials? I also found a mysqldump binary on the system, which – pay attention – dumps a given MySQL schema.

1$ mysqldumps -u theseus -p iamthekingtheseus --all-databases

We then get a new password: admin:Th3s3usW4sK1ng. Maybe this one is the user’s password? We can log-in with theseus:Th3s3usW4sK1ng!

Root #

We now need to get as root!

By looking into /bin/ we get an interesting binary sysinfo running with UID=0 😇

This binary basically fetches information on the system and outputs it on stdout.

Here, the vulnerability is: the binary executes some commands (such as lswh -short, lsblk -l…) without an absolute path to them. We can easilly create our own lswh binary and change our $PATH to trick this program to execute our code as root (UID=0)!

This is what I did:

 1$ cd /tmp
 2$ mkdir .ninja && cd .ninja
 3$ echo 'echo $(whoami)' > lshw
 4$ chmod +x lshw
 5$ export PATH=/tmp/.ninja:$PATH
 6$ sysinfo
 7
 8[...]
 9====================Hardware Info====================
10root    # <-- our code execution!
11=====================================================
12[...]

By now we only have to cat /root/root.txt, or create ourselves a reverse shell, add our SSH key to the box, or anything!

1$ echo 'cat /root/root.txt' > lshw
2$ sysinfo
3
4[...]
5====================Hardware Info====================
6[/root/root.txt hash here 😀]
7=====================================================
8[...]