Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

PwnLab: init




Welcome to “PwnLab: init”, my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read the flag.
Difficulty: Low
Flag: /root/flag.txt


It looks like 2 well-known ports and 2 registered ports are open. I’ll start with the website on port 80 and try dirb and nikto to get some more information.


  • /login.php
  • /config.php
  • /index.php

I first checked the upload page, but it was protected by the login. Because I didn’t had any credentials, I tried to brute force my way in with the rockyou wordlist. But after some waiting, it turned up with nothing. In the meantime I tried to check out config.php, but that was also a dead-end. After looking at the URL, I noticed the use of the parameter ‘/?page=’. My first guess was to look for a path traversal weakness. Nothing. My second try was to get a LFI. I googled for some php exploits and stumbled onto https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ and http://securityidiots.com/Web-Pentest/LFI.

Local File Inclusion

After a few tries I finally discovered that I could use the PHP wrapper php://filter. Because the output is encoded using base64, I’ll need to decode the output.

This will let me to get the source of the PHP files on the server.
Time to load this up into burpsuite and let it do the heavy lifting. After looking at the found php pages, I got credentials from config.php.

From reading upload.php it was clear that there were some restrictions.
Only 4 file types were allowed:

Also there were MIME restrictions:

And finally the file isn’t allowed to have multiple file types:

When I read the index.php file it seemed that there was also a ‘lang’ parameter which possible had a LFI vulnerability. At this moment I don’t know if this can help me.


With the found credentials I logged in the MySQL server.

Uploading a dirty file

I try the first credentials in the list: kent.
Since I know the restrictions of the upload.php file, I know how to adjust my php file.
I tried to upload the file and change the header to both JPG as JPEG, but for some reason that didn’t work. Changing the header to GIF worked like a charm.

Reversed shell

Earlier I found a LFI vulnerability in the ‘lang’ parameter. Maybe I can use this to execute the uploaded php file. After altering the cookie to ‘lang=../../../../../../var/www/html/upload/f3035846cc279a1aff73b7c2c25367b9.gif’ I got my reversed shell.
First let’s get a TTY shell.

Looks like there are 4 users. One of them wasn’t in the MySQL database. ‘john’. Because I have the credentials of the 3 other users, I’ll log in with these.

A binary file named msgmike. When I run it I get:

So it runs cat, but without an absolute path. By adjusting PATH to ‘.’ it will let me run my own cat binary with ‘/bin/sh’ inside.

Another binary.

Alright. It echoes everything I feed it and run it as root.



This was an excellent challenge. The description said it was easy, but it gave me a run for my money (ok – it’s free – but you know what I mean).