Magic Hackthebox

 

Welcome Readers, Today we will be doing the hack the box (HTB) challenge

Enumeration

Starting off with a little nmap, we see SSH and HTTP open.

root@kali:~/Documents/HackTheBox/Magic# nmap -Pn -sS -n -p1-10000 -T4 -sV 10.10.10.185 -vv
...
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
...

A quick check for OpenSSH v7.6p1 vulnerabilities doesn’t seem to give us anything, so let’s move on to port 80.

At first glance, there are just a bunch of images on the site - nothing too interesting. Of note in the source code, however, are references to images located in images/uploads. This will be useful later.

Next, in the bottom left corner there is a login button which will presumably let us upload images, so let’s try that.

Next, in the bottom left corner there is a login button which will presumably let us upload images, so let’s try that.

Foothold

Now, we are presented with a very simple login dialog box. The login process appears to be pretty standard in that it POSTs a username and password to the PHP backend.

Since we don’t know the username or password, let’s try SQL injection in both fields. The idea here is that the PHP code in the back may look something like this:

Since we don’t know the username or password, let’s try SQL injection in both fields. The idea here is that the PHP code in the back may look something like this:

...

Read More