This magical website lets you convert image file formats.
This is Magician from THM. It’s easy rated, but it wasn’t that easy.
Ports
FTP and two HTTP ports, on 8080 and 8081.
FTP
Anonymous login is available, and we get this message:
Most of the other commands don’t seem to work; we can’t get a directory listing or download anything, and we can’t put anything either. Let’s check that website.
https://imagetragick.com
TL;DR
There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.
I hadn’t heard of this before, but it’s pretty interesting.
At http://magician:8081/ we have a portal to upload a PNG file for conversion to a JPG, which we can then retrieve at http://magician:8080/files/ (note the different port). The root of http://magician:8080/ is an error page for Whitelabel, which is apparently a generic Spring Boot error.
Okay, we can capture our upload with Burp and modify it. It took me some time to figure out, but this payload gives a shell:
This payload gave a file read:
push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 ‘label:@/etc/passwd’
pop graphic-context
So that was new and pretty interesting.
Privesc
We are the user magician and we get a message:
The magician is known to keep a locally listening cat up his sleeve, it is said to be an oracle who will tell you secrets if you are good enough to understand its meows.
With some enumeration we can figure out a server is running on port 6666 on the localhost. We can connect to it with telnet:
Note we hit enter twice to send this.
We get a reply that includes a trollface; I won’t show the whole thing:
Right, so we’ve got a POST request with a filename variable. I try to interact with it through telnet, but it times out. So it’s script time:
I copy this to the box, make it executable and invoke it like so:
telnet> magician@magician:~$ ./tel.sh | telnet
This produces the goods, although it is (trivially) encoded; I’ll leave that out. I did also use this technique to grab the shadow file (which came hex encoded) but the password for magician at least doesn’t want to crack easily.
So, that was that and I must say it was pretty good. Well done ripcurlz and ms.geeky.