HackTheBox Writeup — Magic

Hello Guys , I am Faisal Husaini. My username on HTB is “MrSatan” . Also join me on discord.

The IP of this box is 10.10.10.185

Running NMAP full port scan on it , we get

We got only 2 Open Ports , one for SSH and other for Web

Running the IP in the browser

We get a webpage with a lot of pictures, also on the down left corner we see a link to a Login Page

We see we have a login option here, we try some SQLi Login Bypass techniques

The Payload we used for password field

admin'or 1=1 or ''='

We see a file upload here , I tried multiple ways of bypassing the file upload restriction out of which one way worked for me

So we just change the metadata using exiftool and put out PHP web shell and then upload it

After uploading the file, we get the message of the successful upload like above pic

Now we access the file which we cant get from the link source in the main page

Now we try to execute command and see if it works

We got command execution successfully and now we move onto getting reverse shell and check the netcat listener

We got shell as www-data and now we do our enumeration on the webroot directory

We see a db.php5 file, looking at the code

We see some credentials leading to some DB , when trying to use this for the user on the machine

It fails, but we know that we had SQLi in the login page, we can copy the request and run SQLMAP against it

We dumped credentials and now use the password for use theseus

We are now user theseus and now we get the user flag

Checking the groups of the current user, we see that it is the group member of group users

Checking any files or binaries with the group permissions of group users

We see that /bin/sysinfo has group permissions for users

The binary wasn't any ordinary binary so I just ran ltrace onto it and saw that the binary runs lshw and fdisk to provide hardware info and disk info, since there is no path mentioned for those 2 programs, we can potentially path hijack and use it for our own benefits

Now we create our own binary named the same as the vulnerable one and then change the path so that our binary gets executed first instead of the original one

After running sysinfo, we get a shell spawned and now we are root

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store