Capture the flag (CTF)

Hack the Box (HTB) machines walkthrough series — Magic

Security Ninja
November 2, 2020 by
Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is of an HTB machine named Magic.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The walkthrough

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Magic, is retired.

Let’s start with this machine.

  1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
  2. The “Magic” machine IP is 10.10.10.185.
  3. We will adopt our usual methodology of performing penetration testing. Let’s start with enumeration in order to learn as much information about the machine as possible.
  4. As usual, let’s start with the Nmap scan to gather more information about the services running on this machine.

    <<nmap -sC -sV -oA Magic 10.10.10.185>>

  5. As we can see that we can only access two ports: 22 and 80. Let’s start the enumeration from them.
  6. Below is the home page in port 80.
  7. There is a login page, which is susceptible to SQL injection with a simple payload such as ‘ or ‘1’=’1 .
  8. After that, we get an image upload box. I tried uploading a direct PHP shell and PHP shell embedded with other image formats but it worked with the .png format.

  9. Browsing that uploaded shell, we got a reverse shell back as www-data.
  10. Enumerating the system, we got a DB file named db.php5, which revealed a surname and password for user “theseus”. Trying to sudo that user with the password failed.
  11. Using mysqldump to dump the DB revealed another password, as shown below.
  12. Using this password to sudo to user “theseus” was a success. Before that, we need to upgrade our current shell also, as shown below.
  13. Grabbing the user.txt file.
  14. Now, let’s start the escalation process. Seems like a SUID binary on the machine.
  15. Checking its normal usage, it looks like there must be lot of system-level commands in use to gather such information from the machine.
  16. Running strings on the binary reveals multiple commands in use such as fdisk, free and so on.
  17. Since their explicit location is not used, we can exploit any such commands by hijacking the control flow through our malicious binary. Below is the malicious “free” binary:
  18. Once uploaded, we make the binary executable:
  19. Append that to the system path so that malicious free is executed first and we get a reverse shell back.
  20. We ran the binary again and as expected, it hangs while executing free binary because it is busy in giving us the shell back.
  21. We got a shell back as root. Enumerating to grab the root.txt file:

This was a good machine where the initial foothold was somewhat challenging. After that, escalation to root was straightforward.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

We will continue this series with more examples of interesting HTB machines.

Security Ninja
Security Ninja