Before starting, all of the challenges posted here are included in my learning journey. I didn’t solve them all, if I searched or learned from other senpais, I will reference them all.
Ideas:
- Recon with nmap & Enumerate on ftp port 21 -> http-proxy port 8080 -> http port 8081.
- HTTP service allows image upload with ImageTragick.
- Initial foothold by exploiting ImageTragick Code Execution (CVE-2016–3714).
- Found port 6666 (The magic cat) is listening on target host.
- Create a tunnel with ssh, then also create a proxy port 6666 on local host.
- Read root.txt.
To do:
- sudo echo “[TARGET IP] magician” >> /etc/hosts
# RECON
Starting with: sudo nmap -sV -A -vvv -sC -T4 -oN nmap/initial_scan
There are 3 opened ports:
- FTP 21
- HTTP-PROXY 8080
- HTTP 8081
Let’s have a look at single port:
Port 21:
I connect to the port using: ftp magician
- Allows anonymous login
- Give us a hint and document in relation to the vulnerability [ https://imagetragick.com ]
- We probably cannot do anything else on port 21
Port 8080:
Now, let’s have a look at the site.
It would return error “Whilelable Error Page”. Whenever I interact with the page, if it returns error only, I will think I need to move on and keep that in mind and comeback later.
Port 8081:
How straight forward the attacker vector is !
Now that if we copy and paste the original payload, it won’t work simply because the way upload function parses our input will be different.
Here is the reference:
[ https://blog.cloudflare.com/inside-imagetragick-the-real-payloads-being-used-to-hack-websites-2 ]
There are 2 problems about the payload:
- example.com: if we keep it “example.com”, it still works but might take a while. Since our machine and target machine are on the same network, it would be easier and faster for the target to find us.
- “|”: we might need to remove it in the payload.
Our payload will be something like this:
How to verify ?
One of the useful way to verify if our code is execute or not by using “tcpdump” and “ping”.
# Initial foothold & user.txt
This is not the only way but the payload will look somethings similar:
“user.txt” is in magician’s home directory.
# root.txt
Enumeration:
Let’s read “the_magic_continues” file in user’s home directory.
Ok … ! :’).
“locally listening”
In order to utilize this port efficiently, we can create a tunnel connection back to our host.
- Tunneling to local host port 6666.
There are many ways to create a tunnel connection, I will use ssh tunnel.
On local machine, start a ssh service:
- sudo service ssh start
On target machine:
- ssh -R 6666:localhost:6666 [user]@[LOCAL IP]
At this point, we should have a tunnel port 6666 is listening on local machine.
Recall from HTTP-PROXY on port 8080, do a guess work, we can try to setup a proxy on local host:6666. For a website proxy, I used “FoxyProxy”.
Now, when we try to make a connection to http://magician:8080, we will see it different.
and cat root.txt !
Decode it and submit flag.
I tried to get a root shell but no result, I’ll update it later (if it’s possible).
P/s: Thanks for reading, leave a comment if you find it useful and stay safe — :)