explaingit

themursalin/magic_walkthrough

0Audience · developerComplexity · 2/5ActiveSetup · easy

TLDR

A markdown writeup of the Magic vulnerable practice box, covering nmap, SQL injection, PHP polyglot upload, MySQL credential reuse, and PATH abuse for root.

Mindmap

mindmap
  root((Magic-Walkthrough))
    Inputs
      Target IP
      Practice box
    Outputs
      Markdown report
      Step by step shell
    Use Cases
      Learn CTF techniques
      Study privilege escalation
      Practice SQL injection
    Tech Stack
      Markdown
      Nmap
      PHP
      MySQL

Things people build with this

USE CASE 1

Follow a step-by-step CTF report against the Magic practice box from nmap to root.

USE CASE 2

Study a real SQL injection bypass on a login form using an always-true username payload.

USE CASE 3

Learn the polyglot PHP PNG upload trick that bypasses naive file extension checks.

USE CASE 4

Study a PATH hijack against a setuid sysinfo binary to escalate from a local user to root.

Tech stack

MarkdownNmapPHPMySQLLinux

Getting it running

Difficulty · easy Time to first run · 30min

This is a single markdown writeup, not runnable code; reproducing the attacks requires access to the Magic practice box on the relevant CTF platform.

In plain English

This repo is an educational walkthrough of how to attack a deliberately vulnerable practice machine called Magic, which is one of the boxes hosted on a hacking training platform. The author works through it like a security report, taking the reader from the first network scan all the way to taking over the machine as the root administrator, with every command, tool output, and explanation included. It is marked as Internal Use Only and presented as a personal writeup, not a tool or a library. The walkthrough opens with port scanning using nmap, which finds only an SSH service and a web server running Apache on Ubuntu. The web server hosts a simple image portfolio site with a login page. The author bypasses that login using a textbook SQL injection trick, typing a magic value into the username field that makes the database always return true, and is dropped onto an upload page. Next comes the file upload bypass. The upload only accepts images, but the filename check is sloppy: it looks at the end of the filename without rejecting filenames that also contain .php, and the server is misconfigured to run any file with .php anywhere in its name. The author builds a polyglot file called avatar.php.png, a real PNG image with a tiny PHP web shell hidden inside the raw bytes. Once uploaded and visited in a browser, this gives remote command execution as the web server user, which is then upgraded to a full interactive shell over the network. From there the writeup walks through reading database credentials out of a config file called db.php5, dumping the database with mysqldump to recover a plaintext admin password, and reusing that same password to switch to the local user theseus. The final step is escalating to root by abusing a setuid binary called sysinfo that calls helper commands like fdisk without giving their full path. The author places a fake fdisk script in a writable directory, prepends that directory to the PATH environment variable, and the privileged binary runs the fake script as root, handing back a root shell. A final section reviews why the box was vulnerable in the first place, pointing at a permissive .htaccess override in the Apache configuration that weakened the PHP file handler check. The repo has zero stars and is just a single long markdown report rather than runnable code.

Copy-paste prompts

Prompt 1
Walk me through the Magic_Walkthrough report and summarize each phase from nmap to root in one paragraph each.
Prompt 2
Explain the avatar.php.png polyglot upload trick and why the Apache .htaccess override made it work.
Prompt 3
Show me the exact SQL injection payload used to bypass the login page and why it returns true.
Prompt 4
Help me reproduce the PATH hijack against the sysinfo setuid binary in my own lab environment.
Prompt 5
Turn the lessons from this writeup into a defensive checklist for an Apache plus PHP upload form.
Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.