This weeks post, as the title suggest, is my walk through of Pwnlab:init by Claor. This challenge is a boot2root with a single flag to capture. The goal is get into the system and gain root privileges. This was no easy task and I got stuck multiple times while going through this. But that’s the point of these challenges, to push yourself and learn new techniques.
So with the intro out of the way let’s get started.
First lets do an nmap scan of web server.
Ok so the scan revealed multiple things:
- A web site is being hosted on this machine.
- It has a mysql database.
- rpcbind is open.
So lets go and take a look at the site. It seems to be an image hosting server, you need an account to login and host files. Trying some basic SQL injection got me no where, so I whipped out nikto and scanned the server.
A couple of really interesting things came up with this scan as well:
- No XSS protection.
- /images directory.
- /config.php file found, which may contain passwords.
The XSS vulnerability can’t help us with this challenge so we’ll forget about it. But the image directory and config.php file are good starting points. After trying to find the specific php version the site was using, I decided to move on to specific exploit types. The page= variable in the URL, gave me the idea that the site may be vulnerable to some sort of injection. This lead me to Local File Inclusion (LFI).
Thanks to idontplaydarts, the filter command gave me the ability to download some files the system is hosting. So naturally I tried to get the config.php file.
This gave me a base64 encoded version of the config.php file. So now all I have to do is decode it and boom, their’s the password for mysql.
So let’s login to mysql and poke around.
And there they are, password hashes (or so I thought). After looking around trying to find what type of hash was being used I realized that the passwords weren’t hashed at all, just base64 encoded again (note the == at the end of each password). So decoding them got me the following:
Now I have three users to login as. Now how will I log in? I could cheat a little and just login from the vm, but that doesn’t sound like fun. So instead I opted to use the pentestmonkey reverse shell. I tried uploading the file straight to the server but that wouldn’t work.
So instead of guessing what file-types are accepted, I downloaded the upload page using the filter command. After decoding the page and browsing through it, some conditions had to be meet before the file was accepted and uploaded.
- It had to be a jpg,jpeg,gif or png file.
- The MIME type had to match.
- No multiple extensions, so no shell.php.gif
Once the file was accepted it would have its name replaced with an md5 version and upload to /upload directory. To get this to work take the reverse shell file, change the extension to .gif instead of .php and add GIF98 to the top of the file. Then upload the file to the server and browse to the /upload directory to see that the file has been uploaded.
After getting the file to upload, now I have to get it to execute. That is where I ran into a brick wall, I could not get it to execute. After hours of research and trying different things (using burpsuite to get it run as straight php, using null byte etc.) I decided to cheat and look at one of the solutions. It turns out the lang variable set in index.php is vulnerable to LFI. So after setting up netcat first (nc -lvp <port>) we can exploit the LFI. You also need to be logged in for this to work.
First install tamperdata ( I used tamperdata, it’s the easiest way, you could use burpsuite or zap as well). Then start tamperdata and refresh the page. It’ll ask you if you want to submit, abort or tamper, click tamper. Then in the cookie section, remove the everything and enter lang=../upload/<filename>, with filename being the name md5 version of uploaded shell name. Presto, now I have a reverse shell.
Cat the passwd file to see what users are available and there are the same users found in the mysql database. Now load up a shell with python -c “import pty;pty.spawn(‘/bin/sh’);”, su to user kent and enter the password we got before and boom we are in. Since this is a boot2root, lets see who has root privileges.
We’ll no surprise really, only one root user, root. After poking around for a while as user kent I found nothing so decided to try the next user down the list mike. However that was a no go.
Hmmm that’s a little suss. Lets try user kane.
Okay sweet we’re in as user kane, lets see what he has in his home directory. Whats msgmike? cat the file gives us a bunch of garbage, but looking at the permissions of the file you’ll notice an s variable. What’s that you ask? We’ll after a little research, it turns out to be the directories setgid (set group id) bit is set and executable.
Since it’s executable, I decided to run it.
Damn an error. But we now know that it needs cat to execute its contents. So cd into the tmp directory and echo “/bin/sh” > cat and chmod 777 cat to give it the right permissions. This again is where I ran into a brick wall and cheated a little. Turns out I needed to set the PATH correctly. So export PATH=.:$PATH fixed that. Then execute msgmike again and bam we become user mike.
cd to /home/mike and ls the directory we get msg2root. Hmm whats that? Again cating the file will only give you a screen full of garbage so using strings I was able to find out that it asks for some text, echo’s it back to the console and appends it to messages.txt. (strings prints out only the printable strings from a file).
Looking at the file permissions, it belongs to root as well.
Since the file does not validate the input, using ;/bin/sh returns a shell and since the file executes as root, the shell is also root.
Now that we have a root shell, cd into the root directory and cat flag.txt
And that’s it.
Overall this was a challenging vm for me, but so much fun and really learnt a lot in the process.
Thanks for reading through, until next time, stay classy.