Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

PwnLab: init

Location

https://download.vulnhub.com/pwnlab/pwnlab_init.ova

Description

Welcome to “PwnLab: init”, my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read the flag.
Difficulty: Low
Flag: /root/flag.txt

Enumeration

nmap
It looks like 2 well-known ports and 2 registered ports are open. I’ll start with the website on port 80 and try dirb and nikto to get some more information.

nikto

  • /login.php
  • /config.php
  • /index.php

I first checked the upload page, but it was protected by the login. Because I didn’t had any credentials, I tried to brute force my way in with the rockyou wordlist. But after some waiting, it turned up with nothing. In the meantime I tried to check out config.php, but that was also a dead-end. After looking at the URL, I noticed the use of the parameter ‘/?page=’. My first guess was to look for a path traversal weakness. Nothing. My second try was to get a LFI. I googled for some php exploits and stumbled onto https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ and http://securityidiots.com/Web-Pentest/LFI.

Local File Inclusion

After a few tries I finally discovered that I could use the PHP wrapper php://filter. Because the output is encoded using base64, I’ll need to decode the output.

This will let me to get the source of the PHP files on the server.
=page
Time to load this up into burpsuite and let it do the heavy lifting. After looking at the found php pages, I got credentials from config.php.
repeater

From reading upload.php it was clear that there were some restrictions.
Only 4 file types were allowed:

Also there were MIME restrictions:

And finally the file isn’t allowed to have multiple file types:

When I read the index.php file it seemed that there was also a ‘lang’ parameter which possible had a LFI vulnerability. At this moment I don’t know if this can help me.

MySQL

With the found credentials I logged in the MySQL server.

Uploading a dirty file

I try the first credentials in the list: kent.
upload
Since I know the restrictions of the upload.php file, I know how to adjust my php file.
I tried to upload the file and change the header to both JPG as JPEG, but for some reason that didn’t work. Changing the header to GIF worked like a charm.
shell.JPG

Reversed shell

Earlier I found a LFI vulnerability in the ‘lang’ parameter. Maybe I can use this to execute the uploaded php file. After altering the cookie to ‘lang=../../../../../../var/www/html/upload/f3035846cc279a1aff73b7c2c25367b9.gif’ I got my reversed shell.
31337.JPG
First let’s get a TTY shell.

Looks like there are 4 users. One of them wasn’t in the MySQL database. ‘john’. Because I have the credentials of the 3 other users, I’ll log in with these.

A binary file named msgmike. When I run it I get:

So it runs cat, but without an absolute path. By adjusting PATH to ‘.’ it will let me run my own cat binary with ‘/bin/sh’ inside.

Another binary.

Alright. It echoes everything I feed it and run it as root.

flag.JPG

Conclusion

This was an excellent challenge. The description said it was easy, but it gave me a run for my money (ok – it’s free – but you know what I mean).