magician
May 20, 2021•271 words
magician - THM
After the initial scan, there appear to be two open ports on the target. One of them should suggest to try the oldie-but-goodie anonymous session, which can give you a pretty powerful hint. Follow it and then watch what you have to face on the other port. This service suffers from the ImageMagick vulnerability known as ImageTragick, which leads to RCE. In order to exploit it you can:
- Create your own payload (but why reinvent the wheel, right?);
- PayloadsAllTheThings has an entire section dedicated to this vulnerability
- Metasploit offers a module to create the payload you need
After successfully exploiting it (be sure you have the machine registered as "magician" in your /etc/hosts or it won't work), grab the user flag.
The escalation requires to look at open ports (as the hint in the home directory suggested). There is a listening service on 6666, but in order to access it you will need to show off your forwarding skills. Mine were limited to the following command:
./socat tcp-l:33060,fork,reuseaddr tcp:127.0.0.1:6666 &
With this you can simply navigate to the target on the newly open port 33060 and it will redirect you to the listening service on 6666. There you will find a form asking for a file name. You can query the whole file system with this service, but it will "troll" you by returning the requested information in different encodings (in my experience, either base64 or ROT13, but others may be employed as well). You can choose to go for the flag or try to crack the root password in /etc/shadow. Whatever your choice, your job here is done ;)