Magician
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,8081
(-oN nmap): Saving it into a file called nmap
Enumeration
They told us to add magician to our /etc/hosts
file, lets go do that.
Now lets visit the site that is being hosted on port 8081
Its a PNG to JPG converter.
First lets test by uploading a png file, and it works
We can try uploading a php file by changing its name when uploading and then changing the name back to php using burp
, lets do this. The reverse shell I am going to use is this. Once downloaded , rename it with a png extension in the end.
Now lets upload the file and capture the request.
Lets now send it to repeater and change the name of the file to shell.php
Now lets send it.
It has been uploaded successfully , so now we can forward it in the proxy tab after changing the file name.
We can see that it has been uploaded successfully, lets start a netcat listener to get a reverse shell.
Now lets click on the file to get a reverse shell. Oh but we are only getting the option of downloading the file, we cannot execute the file. So now we have to try a different method.
Exploitation
I went to Google to search for exploits and tried them but came out empty, then I remembered there is a github
repo called PayloadsAllThings
with a lot of exploits, so I went to it and searched for the exploit and found it. It can be found here.
Now lets copy this code to a png file called exploit.png on our machine. We should also change the IP and port in the exploit
Once copied, lets upload this file. Once you click upload you should get a reverse shell
Lets stabilize the shell
We can read the user.txt
file
Privilege Escalation
I tried enumerating on my own to find a way to privilege escalate but could not find anything interesting, so lets downloaded linpeas onto this machine. We first have to start a http server
Now lets go to the victim machine and download the file
Now lets give it permissions and execute it.
Looking at the output, we see something interesting
The machine is listening on port 6666
. Port 53 is DNS, so its not that surprising, but port 6666 is not common so we have to use port forwarding to visit this site. For port forwarding we can use a tool called chisel
. You can learn about this here.
Lets download the tool
Now we have to transfer the tool to the victim machine, to do this first find the tool location
Then go to the directory and copy it into the directory you are using for this room
Now start a http server in the directory
And download the file onto the machine
Make sure to make chisel an executable
Now first on our machine we have to use this command
And on the victim machine we have to use this command
Once you hit enter you should get this on the victim machine
And this on your machine
Now you can go visit the website on port 2299
on your local host
Now we can get the root file by typing for the root file.
We can use CyberChef to crack this
Last updated