Vulnhub-Pwnlab:Init walkthrough

This weeks post, as the title suggest, is my walk through of Pwnlab:init by Claor. This challenge is a boot2root with a single flag to capture. The goal is get into the system and gain root privileges. This was no easy task and I got stuck multiple times while going through this. But that’s the point of these challenges, to push yourself and learn new techniques.

So with the intro out of the way let’s get started.

First lets do an nmap scan of web server.

Ok so the scan revealed multiple things:

  1. A web site is being hosted on this machine.
  2. It has a mysql database.
  3. rpcbind is open.

So lets go and take a look at the site. It seems to be an image hosting server, you need an account to login and host files. Trying some basic SQL injection got me no where, so I whipped out nikto and scanned the server.

A couple of really interesting things came up with this scan as well:

  1. No XSS protection.
  2. /images directory.
  3. /config.php file found, which may contain passwords.

The XSS vulnerability can’t help us with this challenge so we’ll forget about it. But the image directory and config.php file are good starting points. After trying to find the specific php version the site was using, I decided to move on to specific exploit types. The page= variable in the URL, gave me the idea that the site may be vulnerable to some sort of injection. This lead me to Local File Inclusion (LFI).

Thanks to idontplaydarts, the filter command gave me the ability to download some files the system is hosting. So naturally I tried to get the config.php file.

(command= php://filter/convert.base64-encode/resource=config)

This gave me a base64 encoded version of the config.php file. So now all I have to do is decode it and boom, their’s the password for mysql.

So let’s login to mysql and poke around.

And there they are, password hashes (or so I thought). After looking around trying to find what type of hash was being used I realized that the passwords weren’t hashed at all, just base64 encoded again (note the == at the end of each password). So decoding them got me the following:

Now I have three users to login as. Now how will I log in? I could cheat a little and just login from the vm, but that doesn’t sound like fun. So instead I opted to use the pentestmonkey reverse shell. I tried uploading the file straight to the server but that wouldn’t work.

So instead of guessing what file-types are accepted, I downloaded the upload page using the filter command. After decoding the page and browsing through it, some conditions had to be meet before the file was accepted and uploaded.

  1. It had to be a jpg,jpeg,gif or png file.
  2. The MIME type had to match.
  3. No multiple extensions, so no shell.php.gif

Once the file was accepted it would have its name replaced with an md5 version and upload to /upload directory. To get this to work take the reverse shell file, change the extension to .gif instead of .php and add GIF98 to the top of the file. Then upload the file to the server and browse to the /upload directory to see that the file has been uploaded.

After getting the file to upload, now I have to get it to execute. That is where I ran into a brick wall, I could not get it to execute. After hours of research and trying different things (using burpsuite to get it run as straight php, using null byte etc.) I decided to cheat and look at one of the solutions. It turns out the lang variable set in index.php is vulnerable to LFI. So after setting up netcat first (nc -lvp <port>) we can exploit the LFI. You also need to be logged in for this to work.

First install tamperdata ( I used tamperdata, it’s the easiest way, you could use burpsuite or zap as well). Then start tamperdata and refresh the page. It’ll ask you if you want to submit, abort or tamper, click tamper. Then in the cookie section, remove the everything and enter lang=../upload/<filename>, with filename being the name md5 version of uploaded shell name. Presto, now I have a reverse shell.

Cat the passwd file to see what users are available and there are the same users found in the mysql database. Now load up a shell with python -c “import pty;pty.spawn(‘/bin/sh’);”, su to user kent and enter the password we got before and boom we are in. Since this is a boot2root, lets see who has root privileges.

We’ll no surprise really, only one root user, root. After poking around for a while as user kent I found nothing so decided to try the next user down the list mike. However that was a no go.

Hmmm that’s a little suss. Lets try user kane.

Okay sweet we’re in as user kane, lets see what he has in his home directory. Whats msgmike? cat the file gives us a bunch of garbage, but looking at the permissions of the file you’ll notice an s variable. What’s that you ask? We’ll after a little research, it turns out to be the directories setgid (set group id) bit is set and executable.

Since it’s executable, I decided to run it.

Damn an error. But we now know that it needs cat to execute its contents. So cd into the tmp directory and echo “/bin/sh” > cat and chmod 777 cat to give it the right permissions. This again is where I ran into a brick wall and cheated a little. Turns out I needed to set the PATH correctly. So export PATH=.:$PATH fixed that.  Then execute msgmike again and bam we become user mike.

cd to /home/mike and ls the directory we get msg2root. Hmm whats that? Again cating the file will only give you a screen full of garbage so using strings I was able to find out that it asks for some text, echo’s it back to the console and appends it to messages.txt. (strings prints out only the printable strings from a file).

Looking at the file permissions, it belongs to root as well.

Since the file does not validate the input, using ;/bin/sh returns a shell and since the file executes as root, the shell is also root.

Now that we have a root shell, cd into the root directory and cat flag.txt

.

And that’s it.

Overall this was a challenging vm for me, but so much fun and really learnt a lot in the process.

Thanks for reading through, until next time, stay classy.

Vulnhub-Mr.Robo

I know its been a while since I last posted but I’ve been super busy with work, uni and life in general. Now that everything has settled down (for the moment) its time to get back posting on a regular basis. This post, as the title suggest, is a walk through for the Mr.Robot CTF created by the user Jason.  I didn’t find this challenge to difficult, but did need some help at certain points. Enough rambling lets get started.

For this CTF there are 3 flags to capture, with each one increasing in difficulty. First of lets scan the vm with nmap. (nmap <ip-address> -p- -sSVC -A)

As you can see, port 80 and 443 are open, meaning theirs a website being hosted. Navigating to it reveals that its just the promotional site used for the show Mr.Robot. After going through the site and getting nothing out of it, I decided to scan it using nikto. (nikto -host <ip address>)

Hey whats this, robots.txt, lets take a look.

JACKPOT!!

Found key 1: 073403c8a58a1f80d943455fb30724b9.

Looking into fsocity.dic, looks like a dictionary file used for brute forcing login pages. Looking closely at the nikto output, the wordpress login page is found. Knowing that this vm is based on the show, I started manually typing in character names as usernames. Lo and behold, username elliot works (that saved me some time brute forcing the username).

Now that we have a username, I used wpscan to brute force the login page with the dictionary file we got earlier. (wpscan –url <ip address> –username elliot –wordlist fsocity.dic). This attack will take some time, so you might want to do something else while you wait. After wpscan is done, it should spit out the password ER28-0652 (FYI is elliots’ badge number at all safe).

After logging in to the site and poking around, I found nothing of use, this is where I got stuck so I ended up using Snooze Security video to get to the next step (he also had some great links in the description that I used later on). Basically he used pentest monkey reverse shell to get into the system, but make sure you add the following to the top of the php file, edit it with your machines ip address and what port you want to use, zip it and upload it through the wordpress plugin section:

/*
Plugin Name: reverse shell
Plugin URI: https://google.com
Description: reverse shell
Version: 1
Author: reverse shell
Author URI: https://google.com
Text Domain: reverse
Domain Path: /shell
*/

source for the above http://pastebin.com/GMwhCDtm, credit goes to Snooze Security.

Now that the file is uploaded don’t click activate just yet, you need to set up netcat to listen for incoming traffic on the port you specified in the file with the following command nc -vlp <port number>.

Once setup, hit activate and netcat should have been triggered and you now have a reverse shell. If for what ever reason netcat looses the connection, just run the command again and and refresh the web page.

After again snooping around the system I came across the robot directory with key-2-of-3.txt and password.raw-md5. Using cat on the key gave me permission denied but not on the password file.

Copying that hash and pasting it into google, the first link gave me abcdefghijklmnopqrstuvwxyz as the password.

(source: md5hashing)

Sweet now that I have the password, lets switch to user robot.

Nope, not going to be that easy.

After researching how to spawn a terminal from a shell, pentest monkey came to the rescue again. Spawning a terminal with the python command python -c “import pty;pty.spawn(‘/bin/sh’);”.

Now we switch user, enter the password (also change the password to something easier to type) and boom we are now user robot. Cat the key file and we are almost done.

Key 2: 822c73956184f694993bede3eb39f959.

Now on to key 3. Using the find command gave me nothing so I now have to manually search through the directories to find key 3. Did so until I ran into the root folder which did not let me in. So now I have to escalate my privileges to root to gain access into the directory.  After trying a bunch of the commands from Reboot user, I came across one that worked, nmap –interactive, which you can read more about here. From what I understand it’s an interactive shell where you can pass nmap commands into.

After launching the interactive command, enter h and it will give you the help screen. ! gives the user the ability to pass shell commands, so why not just launch a shell with !sh. With  that we are now root. cd into the root directory and cat the final key.

key 3: 04787ddef27c3dee1ee161b21670b4e4.

That’s it for this vm. It was so much fun doing this and taught a lot new tricks that I’ll use in other CTFs.

Until next time, stay classy internet.