PWNLAB: INIT Walkthrough
Wellcome to “PwnLab: init”, my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The…
Wellcome to “PwnLab: init”, my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read de flag.
Enumeration
There is nothing to enumerate more on port 111, 3306 and 41649.
More Enumeration…
- HTTP 80
- No manual finding — source code & robots.txt
- Nothing critical on Nikto Server.
- Gobuster output is given below.
Possible Intrusion is through,
- LFI
- - — http://192.168.103.151/?page=login
- - — http://192.168.103.151/?page=upload
- SQLi
- Malicious File Upload
- - — http://192.168.103.151/upload/
Finding POI (Point Of Intrusion)
we have 3 php files
- upload.php — already accessible
- config.php
- login.php — already accessible
We need to try for LFI here and see the data in config.php. By the name, we could say that it is some data related to mysql.
<?php
$server = “localhost”;
$username = “root”;
$password = “H4u%QJ_H99”;
$database = “Users”;
?>
Let’s decode the pass:
kent:mike:kane
Sld6WHVCSkpOeQ==:U0lmZHNURW42SQ==:aVN2NVltMkdSbw==
JWzXuBJJNy:SIfdsTEn6I:iSv5Ym2GRo
Let’s try these credentials out:
Got access with kent:JWzXuBJJNy
You will be getting error since it accepts only images.
i was able to get the file uploaded but it is with image format. Hence, we need to find another way. After going through the application for sometime, found that we can use the index page for injection.
<?php
//Multilingual. Not implemented yet.
//setcookie(“lang”,”en.lang.php”);
if (isset($_COOKIE[‘lang’]))
{
include(“lang/”.$_COOKIE[‘lang’]);
}
// Not implemented yet.
?>
Remember to set magic byte on the file to get accepted. https://vk9-sec.com/local-file-upload-magic-byte-change-file-type/
Privilege Escaltion
- login to user -> kane:iSv5Ym2GRo
2. Run the msgmike and we will see that cat is getting execute. Hence, append /tmp to the PATH environment and add a cat file there.
3. we will get access to mike.
4. ./msg2root is the file in mike folder. It takes input from user, there is a possible command injection.
5. input test;/bin/sh -> you will get root