Magic
Last updated
Last updated
Nmap scan:
The web application shows us some random images as a form of portfolio.
I did a gobuster scan and found a few directories of interest:
So there was a login.php directory. I didn't have any credentials, so I tried a few low hanging fruits such as admin:admin and basic SQL injection. The payload of ' OR 1 -- worked.
Then, I was brought to this page:
This was a PHP site so I tried uploading PHP webshells, but it didn't work. As such, I tried to embed a webshell witihin a JPG file.
Afterwards, we just need to change the extension to .php.jpeg and send the file (via Burpsuite). Earlier, a gobuster scan found a /images directory, so I used gobuster on that to find more directories:
So the /uploads directory is where our files end up. I tried some basic commands, and it worked!
Getting a shell from here is easy.
In the /var/www/magic file, I found a set of database credentials.
I used mysqldump (which was present on the machine somehow) and dumped out all of the SQL stuff.
I was able to find a set of credentials for the admin user.
From reading the /home directory, the user on this machine is theseus. These credentials work with su.
I checked for SUID binaries, and found one at /bin/sysinfo. When trying to execute it, I found that it was executing fdisk without the full path.
By manipulating the PATH variable and creating a reverse shell script named fdisk, I can get a reverse shell as root.
Port 9999 does not work (presumably due to firewall) so I changed to port 443 and ran sysinfo again.
