First let's enumerate the machine with an nmap scan
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1645572955430/1w2MaCxnf.png" alt="image.png" />
add the ip to the correct DNS as the box want in /etc/hosts file 
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1645573200662/_QC3TZYfv.png" alt="image.png" />
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1645573247368/j5okH51r-.png" alt="image.png" />
as we can see is a simple site to convert .png to .jpg,
to began let's find a payload related to file upload 
after searchs i've find <a target="_blank" href="https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Upload%20Insecure%20Files/Picture%20Image%20Magik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png">this</a>
who using netcat to send the connection 
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1645574007013/iB1LwlNjF.png" alt="image.png" />
after uploading with receive the connection !
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1645574112657/R3JQ89jjd.png" alt="image.png" />
and we can get the user flag will simply go to user folder
after searching trough many ways to privesc i've found that the machine has a weird port open 
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1645574506230/qAi0PafSV.png" alt="image.png" />
so lets make pivoting with chisel, after that we will simply get a shell and we will need to cat the /root/root.txt to get the root flag encoded in base64, juste decode it with cyberchef and here we go ! we are root

First let's enumerate the machine with an nmap scan


![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1645572955430/1w2MaCxnf.png)

add the ip to the correct DNS as the box want in /etc/hosts file 

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1645573200662/_QC3TZYfv.png)


![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1645573247368/j5okH51r-.png)

as we can see is a simple site to convert .png to .jpg,
to began let's find a payload related to file upload 
after searchs i've find [this](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Upload%20Insecure%20Files/Picture%20Image%20Magik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png)
who using netcat to send the connection 

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1645574007013/iB1LwlNjF.png)

after uploading with receive the connection !

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1645574112657/R3JQ89jjd.png)
and we can get the user flag will simply go to user folder

after searching trough many ways to privesc i've found that the machine has a weird port open 

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1645574506230/qAi0PafSV.png)
so lets make pivoting with chisel, after that we will simply get a shell and we will need to cat the /root/root.txt to get the root flag encoded in base64, juste decode it with cyberchef and here we go ! we are root

[THM] Magician box write-up ctf