Magic Writeup — HackTheBox

Made by RebornSec ®

This is amusing box made up preparing for the Halloween. So lets start the MAGIC.

Enumeration phase :

Let’s start with the Nmap scan :

[~] Nmap -sC -sV 10.10.10.185

As we can see http port is open. Let's check it on the browser :

It seems like it a website that contain a gallery of photos, lets see the login page :

I tried the basic credentials but not working so i tried basic SQL Injection structure :

And BOOM upload page appears :

Uploading normal img.{imageextention}.php seems to not working so i used this script https://github.com/RebornSEC/RInjector to embed my php file into my image :

Preparing nc -nlvp 4444 i intercept the call back from the shell :

We want our shell to be interactive :

python -c ‘import pty; pty.spawn(“/bin/sh”)’

Now digging on i found some credentials in db.php5 in /var/www/Magic :

So we can use these credentials to dump the db of the host “Mysqldump” :

I got other credentials :

Now we SU as theseus with the new password we got Th3s3usW4sK1ng

And here we got our user.txt :

Root phase :

After long enumeration i found a way to root the box and it was simple but i looked too deep :

And the root.txt hash is inside rebornsec.txt. Congrats we got root :D