Pwn_init Walkthrough

First I ran netdiscover -r 192.168.0.0/24

Then an nmap scan: nmap -sV -Pn -vv -T4 -A -p- 192.168.0.133 –script=auth,brute,discovery,exploit,vuln -oN 192.168.0.133nmap.scan
Found a few open ports:

Info about the http server, looks like we found a login form

And some additional pages to try

RPC info

MYSQL info, looks like we got blocked from connecting to this host over port 3306.. Maybe the accounts are false positives because of the lockout

Nikto scan on the webserver, something worth nothing, we’ve detected the config.php file, but we’re not able to access it 🙁

After browsing to the site, I was presented with the following:

When we browse to pages, we see the request change to page=login. Maybe we can get a different page to load for us, like config.php???

After browsing the internet for LFI potentials, I came across this article and technique I’ve never tried before:
https://diablohorn.com/2010/01/16/interesting-local-file-inclusion-method/

The site basically says we can submit page=php://filter/”filterwepick”/resource=”whatwewant.php” and have the requested processed before any of the LFI checks (summarized)

I issued the following request via the browser: 192.168.0.133/?page=php://filter/convert.base64-encode/resource=config.php, but nothing happened…
Realizing that page=login refers to the login.php site, I remove .php from my request and…

We’re presented with some base64 encoded text… Let’s decode it w/ echo ” | base64 -d
Looks like we found some login credz, mysql credz at that 🙂

Because of my initial scans, I wasn’t able to log into the mysql server, I’ve been blacklisted

Looks like I have to reboot the VM and try again 🙁
Once the VM booted back up I issued “mysql -u root -p -h 192.168.0.133” and we connected!

After searhcing through the Users/users table we find the following usernames and pw’s

These pw’s looked base64 encoded, so I ran them through base64:

JWzXuBJJNy
SIfdsTEn6I
iSv5Ym2GRo

I tried to login with Kent’s credentials and was presented with an upload form

I tried to upload a php-reverse-shell, but no luck at first, lets try changing the extension

I renamed my php file to php.jpg, but still no luck:

Since we have the ability to read files on the webserver, lets check the upload.php file. In burp suite:

/?page=php://filter/convert.base64-encode/resource=upload
I ran the text through base64 and it gave us the files configurations. I checked the error we’re getting, looks like I need to rename my mime type:

The file also says it’s whitelisting extensions jpg/jpeg/gif/png and will only accept one extension per file “substr_count($filetype, ‘/’)>1)”
Looks like we have to upload a .jpg extension with php code
I tried to upload the new php-reverse-shell.jpg, but still no luck..

Looks like we’re going to have to try adding an image header to further convince the app the file is a legit picture.
From experience, GIF headers are the easiest to inject, starting the file with “GIF”

When I check the uploads dir, I find our file uplaoded as “3208…” The first entry is another attempt

Now we need to find a way to “Execute” this file..
Let’s continue using our enumeration method to view other config files, like index.php

There was a “/” in the code that was causing issues for me, but once we break up the text and run base64 we get the following:

From the first base64 dump, we can see the variable “lang” is being set by “en.lang.php,” maybe we can point lang at our reverse shell instead of en.lang.php, which may be expecting a .php file and execute our payload 🙂
The lang variable wasn’t included in my capture, but the course tells us it expects the argument in the cookie variable. Let’s put it in there and browse to our uploads folder (../uploads/) then specify our payload

Once I forwarded this traffic, I got a reverse listener back to my kali box!

I uploaded my shell via python: python -c ‘import pty;pty.spawn(“/bin/bash”)’
Then tried to su to the other accounts we found in mysql, hoping for a pw reuse… Looks like kane is guilty!

I found a file in kane’s home dir called msgmike. It’s an ELF file with setuid permission (executes as owner, which is mike)

If I try and run the file, it looks for a file in Mike’s home dir, but can’t find it…

I searched the system for our setuid files:

Let’s check out the file (strings msgmike) and see if it’s making any system calls that we can hijack
Not to far down the list, I noticed a “cat” call for a specific file

If I try and run the program it tells me the file doesn’t exist (I don’t have permissions to access it)

Since the file msgmike is ran as user “mike,” and it’s calling “cat”, let’s see if we can replace the destination where cat is called. When cat is run, it’s called from our machines environment variable “/bin/.”
What if we call “cat” and have it run from the current directory 🙂
Let’s create a file called “cat” in the tmp dir, and instead of performing “cat”, we’ll have it run /bin/sh to give us a shell. Also we’ll give it execution permissions

Now we need to set our environment variables to the current dir “/tmp.” This will tell the box to call “cat” from /tmp. And “cat” in tmp will execute a shell. Since the program is running as user mike, we should get a shell as mike!
After we execute the program, we get a shell, but our commands are limited (because we changed our environment variables). After we get a shell, we reset the environment variables to call programs from their respective dirs. This allows us to issue “id” and continue browsing the system!

After we browse to Mike’s home dir, we find another file

Let’s string this one as well, looks like we’re running another command to echo input to /root/messages.txt

This isn’t a setuid example, so maybe we can append commands with “;” after this system call
Looks like we can inject commands and would be running as root (owner of file)

Since the program is run as root, let’s upgrade /bin/sh by chmoding the file as owner root (chmod u+s /bin/sh)

Running /bin/sh provides us a shell with root privileges!

cd to root and cat the flag!

Leave a Reply

Your email address will not be published. Required fields are marked *