Buy Me A Coffee


->Magic




Run Nmap Scan against the IP





Go to the Website, we can see we need to login to upload image





Go to login page,Lets try sql injection in there





And that was successfull , Now we can access the webpage without login.
Now lets try to upload image. But Actually we are not uploading any image,
we are uploading the php script to check, whether it is vulnerable or not





For uploading php script we need to edit the magic numbers , for that google for magic numbers





Scroll down to view jpg/jpeg and we can see the hex values





Now open ghex with image file and edit the magic numbers





Now Upload it with the help of burpsuite bychanging file a.jpg to a.php.jpg





<

We can see the file uploaded successfully





Now we need to identify ,where is the file uploaded , for that run dirsearch for searching active directives





We can see in image directory , "uploads" folder is available





Go to the 'img/uploads' folder and add "a.php.jpg" which is uploaded by me,
we can see the php version, so we can upload php reverse shell also here





I uploaded reverse shell and got shell back





cat etc/passwd shows that there is "theseus" user available





Going through db.php5 file which is located in Magic folder in '/var/www' we can see the mysql database creadentials





Dump mysql creadentials to a file





open the file and we can see the creadentials





login to theseus with the password we got now, and we got theseus shell





Now going to SUID binaries i found a intresting file in /bin/which is sysinfo







check what the sysinfo does





We can see it executing hardware informations , So lets check hardware report commands in linux,we found few





Now lets modify 'lshw' command with our custom command and modify the PATH.
then executing sysinfo, we got rootshell, Beacouse sysinfo command calling 'lshw' command and we modified it





We got shell but this shell is not intractive ,so run bash script to get reverse shell, And finaly we got root.txt