Magic

ROOTED.

Learned alot on this one! Thanks @TRX

Incredibly satisfying box for me. Although the frustration at getting initial foothold was maddening, the moment you realize how to get it, will give satisfaction in awesome waves ;). Root was very routine I think. The user part was really great. Thank you for this box.

Great and funny box!

FOOTHOLD: Burp, exiftool and curl will help you. After, a strong reverse shell is necessary.
USER: An interesting service is running, not reachable before… And think easy way!
ROOT: suid3num, strings or pspy64, and find the right “path”!

rooted, nice and straighforward box

rooted the box! but root.txt doesn’t seem to have the right Hash.
Did somebody experience the same Thing ?

@shinjikun said:

rooted the box! but root.txt doesn’t seem to have the right Hash.
Did somebody experience the same Thing ?

Its a dynamic hash so chances are:

  1. the box reset between you getting the hash and submitting it.
  2. the hash you have was submitted before was recognised (I have no idea how the dynamic hashes work)
  3. somehow you ended with an old hash.

Its never happened to me so I have no idea what the solutions are but people have suggested resetting the box and re-rooting it so you know you have the right hash or wait a bit and try again.

At the very least this should be reported to HTB via Jira Jira Service Management - they cant fix the process if they don’t know it is broken.

any hints on root? got user

Nice box with good exploitation path.

User:

  • You don’t have to login in order to go further, but if you want to login, it’s a basic challenge.
  • Basic RCE, check what actions you can do there - lots of explanation about it. Just google.
  • Once you have a reverse shell, enumerate everything.

Root:

  • I assume there is a rabbit hole so if it’s not working, go on…
  • Again basic enumeration will give you all the details you need.
  • Pay attention to who you are and what you own.

Hope it’s not a spoiler.

Just got the root on Magic…thanks to Mty0x for a nudge on root…pm me if you are stuck

This is infuriating. Somebody keeps deleting my shell and killing my session. Am I doing something wrong or is someone being a ■■■■?
I can’t work on root because my session dies after 2 minutes…

@89jase said:

This is infuriating. Somebody keeps deleting my shell and killing my session. Am I doing something wrong or is someone being a ■■■■?
I can’t work on root because my session dies after 2 minutes…

Shells are getting automatically removed after a short amount of time, IIRC. The session should be stable, though. Maybe try another payload for generating your shell :wink:

f***ing stuck at user…
someone can PM me?

great boX!
learned a lot of stuff!!!

Rooted! Finally

Lesson learn: don’t dig too deep to a rabbit hole

root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)

Got root, but the hash in root.txt appears to be wrong? Wtffff

@nicoswd said:

Got root, but the hash in root.txt appears to be wrong? Wtffff

Type your comment> @TazWake said:

@nicoswd said:

Got root, but the hash in root.txt appears to be wrong? Wtffff

Magic - #422 by TazWake - Machines - Hack The Box :: Forums

Thank you! I’ll try that ?

EDIT: That did it, thanks!

Type your comment> @TazWake said:

@shinjikun said:

rooted the box! but root.txt doesn’t seem to have the right Hash.
Did somebody experience the same Thing ?

Its a dynamic hash so chances are:

  1. the box reset between you getting the hash and submitting it.
  2. the hash you have was submitted before was recognised (I have no idea how the dynamic hashes work)
  3. somehow you ended with an old hash.

Its never happened to me so I have no idea what the solutions are but people have suggested resetting the box and re-rooting it so you know you have the right hash or wait a bit and try again.

At the very least this should be reported to HTB via Jira Jira Service Management - they cant fix the process if they don’t know it is broken.

Thanks you! Worked great!

id

uid=0(root) gid=0(root) groups=0(root),100(users)
Nice box!

every time a upload an image it says

what are you trying to do there

i tried png and jpg with and without a shell
any idea