CTF: PwnLab Init Walkthrough

0
71

CTF: PwnLab Init Walkthrough

https://www.vulnhub.com/entry/pwnlab-init,158/

In this walkthrough, I’ll be using Parrot OS. I’ll break each vulnerability down and explain it. The video won’t demonstrate all of the techniques that could have been applied. I will also list the techniques I’ve learned from others.

Exploits / Techniques

  • Local File Inclusions (LFI)
  • Password Reuse
  • Privilege Elevation through compiled code.
  • Remote Code Execution
  • Reverse Shell
  • Spawning Interactive Shells

Pre-Attack

NetDiscover

First Identify the Virtual Machine (VM) server by using NetDiscover.

Discovering the PwnLab Init VM

Nikto

Use Nikto to scan the website for general information and exploits.

In the below results you can see the Nikto found the config.php file. We’ll get the database credentials out of that file.

(nikto scan results)

Local File Inclusion

The actual code we will be exploiting will be an include that looks as if it’s supposed to load a language file through a cookie. There are comments that this code is unfinished.

PHP Base Filter

This exploit uses the php://filter/convert.base64-encode conversion filter. This filter runs before the file is included. Since this filter encodes everything to base64 we are able to view files on the server before they are processed.

Then we can get the configuration file which contains the MySQL database connection information.

Uploading and Exploiting Using an Image

Create an image using vim and insert this into the .gif file.

Then upload the image and retrieve the image path by right clicking and inspecting the image.

Using the Console in FireFox I was able to set the Cookie which loads the image on the website. This will allow us remote code execution.

/etc/passwd

Using the file inclusion we are able to enumerate the users on the host machine by returning the /etc/passwd.

Gaining Access to the MySQL Database

Reverse Shell

The reverse shell is accomplished through the local file inclusion vulnerability.

After Netcat is set up to listen on port 4444 you can paste the below code into the browser and it should pop a reverse shell.

Note: 192.168.0.15 is the virtual machine we are attacking. 192.168.0.14 is the host machine that I’m running Parrot OS on.

Spawn Interactive Shell

Privilege Elevation

This part is rather tricky. I had to have some help and followed Abatchy’s (Mohamed Shahat) technique on this one. His post is worth reading, he tries several other techniques and lists more information than this post.

https://www.abatchy.com/2016/11/pwnlab-init-walkthrough-vulnhub

Login as Kane

In Kane’s home folder there is a msgmike file.

Upon inspecting the file you can see that something in the file runs something similar to “cat /home/mike/msg.txt”.

The actual exploit here is to create a shell script called cat and export it in the environmental variables that way it runs instead of the system’s cat program. This needs to be done in Kane’s folder.

Will return something funny like “bash: dircolors: command not found”.

Then you need to reset your export PATH variable.

Capture The Flag

(flag.txt)