# Magician ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM-sQiV71_CGcYomAg%2F-McM-w7-2AWPen3L0s4m%2Fimage.png?alt=media\&token=d2b60e6c-99b8-48a7-ac70-ed06903bc611) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.216.234 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McM0lLQBKZDSEIPVqaN%2Fimage.png?alt=media\&token=a68faac0-299b-45e9-9b22-11e160abe228) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 21,8081 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 21,8081 -oN nmap 10.10.216.234 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McM1-omaeoL0kMQ-8GG%2Fimage.png?alt=media\&token=ff91c82c-1632-477f-a138-9c08f8928d92) ## Enumeration They told us to add magician to our `/etc/hosts` file, lets go do that. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McM1KYXZFF1fgSI9Jn5%2Fimage.png?alt=media\&token=63ab8659-5af4-4594-8274-4f410cb1de8a) Now lets visit the site that is being hosted on port `8081` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McM1XuBeF2IDxGIajvy%2Fimage.png?alt=media\&token=fc046ec8-5b96-47bf-9c0e-59fc02f724a7) Its a `PNG to JPG converter.` First lets test by uploading a png file, and it works ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McM6sTE8gHIdoXEHpcT%2Fimage.png?alt=media\&token=9b50c50f-a934-4944-a52c-6b7c7c6d90ea) We can try uploading a php file by changing its name when uploading and then changing the name back to php using `burp`, lets do this. The reverse shell I am going to use is [this](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php). Once downloaded , rename it with a png extension in the end. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McM7iNSeucI4jrP-g62%2Fimage.png?alt=media\&token=e95222d9-4fc4-49e3-8266-448cf35d0d82) Now lets upload the file and capture the request. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McM7tiod-b1YZE-DPau%2Fimage.png?alt=media\&token=31c530a8-0c81-499d-915c-5a18a346a6c7) Lets now send it to repeater and change the name of the file to shell.php ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McM83sSryoofo8BSPnz%2Fimage.png?alt=media\&token=8b3c20f5-4014-473b-aa71-9e931e6a0096) Now lets send it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McM86jEtIdgUEfCBUmk%2Fimage.png?alt=media\&token=9cfaade4-62c4-4bc0-a8d4-e050abb3268b) It has been uploaded successfully , so now we can forward it in the proxy tab after changing the file name. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McM8R0zTLJSqI0cyJ4e%2Fimage.png?alt=media\&token=e6482da8-9db4-4e81-97f1-e1d8e86d5606) We can see that it has been uploaded successfully, lets start a netcat listener to get a reverse shell. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McM8aeSaIOaxUm05KFy%2Fimage.png?alt=media\&token=7be6d50d-3c14-4142-b00f-7f13eb2a2e73) Now lets click on the file to get a reverse shell. Oh but we are only getting the option of downloading the file, we cannot execute the file. So now we have to try a different method. ## Exploitation I went to Google to search for exploits and tried them but came out empty, then I remembered there is a `github` repo called `PayloadsAllThings` with a lot of exploits, so I went to it and searched for the exploit and found it. It can be found [here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Picture%20Image%20Magik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png). ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McM9iBZ2hbyvpsYUxzC%2Fimage.png?alt=media\&token=19d97a5f-575e-49bc-8488-8fea73c40d74) Now lets copy this code to a png file called exploit.png on our machine. We should also change the IP and port in the exploit ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McMA7SOW7b8CvGcfW1V%2Fimage.png?alt=media\&token=bfa7df0e-ec67-4936-a79e-857e99f13ebc) Once copied, lets upload this file. Once you click upload you should get a reverse shell ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McMAIziwIpqzekB1unt%2Fimage.png?alt=media\&token=82fff4b4-1075-4db6-b42a-eeefbee1f0ff) Lets stabilize the shell ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McMAVBK_UT233XJJ4h7%2Fimage.png?alt=media\&token=d0dc1e4b-cc39-4dfb-9720-702d6134e55c) We can read the `user.txt` file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McM0ZDcWh0JjUu81weB%2F-McMAjG1dq4f3ey7XPvV%2Fimage.png?alt=media\&token=3d1028f0-287e-47ef-8abf-ce039cfe9e95) ## Privilege Escalation I tried enumerating on my own to find a way to privilege escalate but could not find anything interesting, so lets downloaded linpeas onto this machine. We first have to start a http server ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMC0KZtnNcd6PpdiBS%2F-McMCPSfiYcy-v97Mxfe%2Fimage.png?alt=media\&token=2a97b9bc-d3bb-4dd4-8960-d82f5fa51732) Now lets go to the victim machine and download the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMC0KZtnNcd6PpdiBS%2F-McMCZosTxRYgwcQRCAL%2Fimage.png?alt=media\&token=baa1cf45-da7d-471e-b55e-121b13c024bb) Now lets give it permissions and execute it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMC0KZtnNcd6PpdiBS%2F-McMCgNxQghMR7xAa4wo%2Fimage.png?alt=media\&token=36f48b60-a118-4775-b77d-d06ab928c6e2) Looking at the output, we see something interesting ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMC0KZtnNcd6PpdiBS%2F-McMCv2tTKLKV-WFu4YZ%2Fimage.png?alt=media\&token=dd88a0d6-b65c-493c-94d2-dcf8722c88cb) The machine is listening on `port 6666`. Port 53 is DNS, so its not that surprising, but port 6666 is not common so we have to use port forwarding to visit this site. For port forwarding we can use a tool called `chisel`. You can learn about this [here](https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html). Lets download the tool ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMDl5kN0Ghxau1I7Os%2F-McMFJ_0C9Rf20ksRO7f%2Fimage.png?alt=media\&token=d8d30ccc-4c71-49ac-b20d-c0ac1bbff492) Now we have to transfer the tool to the victim machine, to do this first find the tool location ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMDl5kN0Ghxau1I7Os%2F-McMFR7q8TXdnObYgJwD%2Fimage.png?alt=media\&token=3b3ecb25-9ec7-4a26-82e1-049e908787dd) Then go to the directory and copy it into the directory you are using for this room ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMDl5kN0Ghxau1I7Os%2F-McMGLiEiAVzNzphnNtA%2Fimage.png?alt=media\&token=20b1520c-f515-432d-9ded-b01913029e50) Now start a http server in the directory ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMDl5kN0Ghxau1I7Os%2F-McMGUdbIejihjkPJb8z%2Fimage.png?alt=media\&token=2e96ca16-b6b1-4e59-9834-92a78def67ed) And download the file onto the machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMDl5kN0Ghxau1I7Os%2F-McMGrdbUCfFn6bUvLdU%2Fimage.png?alt=media\&token=e7e798a6-38f2-4b2d-a332-08ac30e4097d) Make sure to make chisel an executable ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMDl5kN0Ghxau1I7Os%2F-McMH0yVKhWd6EE2UX_t%2Fimage.png?alt=media\&token=6b29daac-9992-47b0-9164-f2c61786ba1b) Now first on our machine we have to use this command ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMH1rDtwpOIEyWKDPF%2F-McMHXwUBZkFxB2YiT2W%2Fimage.png?alt=media\&token=2dd97281-5d49-40d3-ba8f-010ad1b91c93) And on the victim machine we have to use this command ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMH1rDtwpOIEyWKDPF%2F-McMHc5X9jJiPl9NlDm_%2Fimage.png?alt=media\&token=a55564af-b380-4de9-be9d-040e5d5f29b7) Once you hit enter you should get this on the victim machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMH1rDtwpOIEyWKDPF%2F-McMHiWBwVafmyNmMPGN%2Fimage.png?alt=media\&token=64ffa3bd-bc3f-451e-a771-52ec0eebefcf) And this on your machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMH1rDtwpOIEyWKDPF%2F-McMHlgizotTYTDRmuf_%2Fimage.png?alt=media\&token=bd77eef4-6d13-4c3b-93bb-cad560a166cf) Now you can go visit the website on `port 2299` on your local host ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMH1rDtwpOIEyWKDPF%2F-McMHyr1nH04vrxjuTIa%2Fimage.png?alt=media\&token=da22b24f-b096-4070-898d-9098120f4662) Now we can get the root file by typing for the root file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMH1rDtwpOIEyWKDPF%2F-McMIDjnPZf1EURyQjca%2Fimage.png?alt=media\&token=d68e3fe9-1f65-482e-81f2-960557207c67) We can use [CyberChef ](https://gchq.github.io/CyberChef/#recipe=ROT13\(true,true,false,13\)\&input=R1Vae3pudHZwX3pubF96bnhyX3puYWxfenJhX3pucX0)to crack this ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McMH1rDtwpOIEyWKDPF%2F-McMIQVUIftmObBJuBcq%2Fimage.png?alt=media\&token=9a432d8e-82ee-43cf-b580-cee856640e16)