Magician

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.216.234

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 21,8081

• (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 21,8081 -oN nmap 10.10.216.234

Enumeration

They told us to add magician to our /etc/hosts file, lets go do that.

Now lets visit the site that is being hosted on port 8081

Its a PNG to JPG converter. First lets test by uploading a png file, and it works

We can try uploading a php file by changing its name when uploading and then changing the name back to php using burp, lets do this. The reverse shell I am going to use is this. Once downloaded , rename it with a png extension in the end.

Now lets upload the file and capture the request.

Lets now send it to repeater and change the name of the file to shell.php

Now lets send it.

It has been uploaded successfully , so now we can forward it in the proxy tab after changing the file name.

We can see that it has been uploaded successfully, lets start a netcat listener to get a reverse shell.

Now lets click on the file to get a reverse shell. Oh but we are only getting the option of downloading the file, we cannot execute the file. So now we have to try a different method.

Exploitation

I went to Google to search for exploits and tried them but came out empty, then I remembered there is a github repo called PayloadsAllThings with a lot of exploits, so I went to it and searched for the exploit and found it. It can be found here.

Now lets copy this code to a png file called exploit.png on our machine. We should also change the IP and port in the exploit

Once copied, lets upload this file. Once you click upload you should get a reverse shell

Lets stabilize the shell

We can read the user.txt file

Privilege Escalation

I tried enumerating on my own to find a way to privilege escalate but could not find anything interesting, so lets downloaded linpeas onto this machine. We first have to start a http server

Now lets go to the victim machine and download the file

Now lets give it permissions and execute it.

Looking at the output, we see something interesting

The machine is listening on port 6666. Port 53 is DNS, so its not that surprising, but port 6666 is not common so we have to use port forwarding to visit this site. For port forwarding we can use a tool called chisel. You can learn about this here.

Lets download the tool

Now we have to transfer the tool to the victim machine, to do this first find the tool location

Then go to the directory and copy it into the directory you are using for this room

Now start a http server in the directory

And download the file onto the machine

Make sure to make chisel an executable

Now first on our machine we have to use this command

And on the victim machine we have to use this command

Once you hit enter you should get this on the victim machine

And this on your machine

Now you can go visit the website on port 2299 on your local host

Now we can get the root file by typing for the root file.

We can use CyberChef to crack this