This is a pretty cool, but easy, trick I learned today when working on a challenge. We've talked a bit about Magic Byte in the past when we did Networked on HTB.
Basically, it's a string that indicates a file type. You can check out a bunch of them here.
I was working on a challenge that required me to upload a file, but restricted me to certain image files. Unfortunately, GIF was not one of them, otherwise, I could have just appended GIF8; to the start of my webshell and called it good. That wasn't the case, and I had to figure out how to trick the target into accepting my file upload.
A bit of Google searching and I stumbled onto the the following post on Geeks for Geeks. The objective was different in that it discussed repairing a file with a corrupted magic number. However, it taught me the coolness of hexedit, which you can install with:
sudo apt-get install hexedit
In the following example, I have a text file called "tacos.txt.jpg". If I cat the file out, I see the actual text:
nux@KakaLinpoop:~/Documents/htb/boxes/magic/uploads$ cat tacos.txt.jpg Drink Pepsi. Pop Boxes. Drop Shells. Eat Tacos.
xxd | head results in the following:
nux@KakaLinpoop:~/Documents/htb/boxes/magic/uploads$ xxd tacos.txt.jpg | head 00000000: 0a44 7269 6e6b 2050 6570 7369 2e0a 506f .Drink Pepsi..Po 00000010: 7020 426f 7865 732e 0a44 726f 7020 5368 p Boxes..Drop Sh 00000020: 656c 6c73 2e0a 4561 7420 5461 636f 732e ells..Eat Tacos. 00000030: 0a
Then checking the filetype with file gives us:
nux@KakaLinpoop:~/Documents/htb/boxes/magic/uploads$ file tacos.txt.jpg tacos.txt.jpg: ASCII text
It's a text file. That's correct.
Now, based on what we know from Geeks for Geeks, a jpg file usually has one of the following magic numbers:
FFD8 FFDB or
FFD8 FFE1. When uploading our file, we just have to go with trial and error attempts. I had to try the first one, fail then try the second combination to make it work in the challenge I was working on.
Another useful post came from StackOverFlow. It pointed to a Wikipedia entry that said JPEG image files begin with
FFD8 and end with
FFD9. Now we know the bytes that start and end a valid jpg file. Let's apply it.
Creating a "jpeg" File
First, we run hexedit:
We see something like this:
hexedit lets us edit the file's hex. Let's change the first bytes and the last bytes as we saw above:
- First bytes will be:
- Last bytes will be:
It's a little difficult to tell here, but these are the first and last bytes. There's a wraparound and I've only cropped the relevant portion:
Now, when we run xxd, we see this:
nux@KakaLinpoop:~/Documents/htb/boxes/magic/uploads$ xxd tacos.txt.jpg 00000000: ffd8 ffdb 6e6b 2050 6570 7369 2e0a 506f ....nk Pepsi..Po 00000010: 7020 426f 7865 732e 0a44 726f 7020 5368 p Boxes..Drop Sh 00000020: 656c 6c73 2e0a 4561 7420 5461 636f 732e ells..Eat Tacos. 00000030: ffd9
If we check the filetype, we will see that it's a "jpeg":
nux@KakaLinpoop:~/Documents/htb/boxes/magic/uploads$ file tacos.txt.jpg tacos.txt.jpg: JPEG image data
This is great for bypassing file upload restrictions for uploading things like php webshells. It's a pretty cool trick, and it's really easy.