Skip to main content

16: VM - Pwnlab :

walkthru
1. https://alexsemaan.xyz/2017/02/20/vulnhub-pwnlabinit-walkthrough/
2. https://www.abatchy.com/2016/11/pwnlab-init-walkthrough-vulnhub.html
3. https://www.vulnhub.com/entry/pwnlab-init,158/

======


  • The page= variable in the URL, gave me the idea that the site may be vulnerable to some sort of injection. This lead me to Local File Inclusion (LFI).
  • None of these worked:
http://192.168.1.65/?page=/etc/passwd
http://192.168.1.65/?page=/etc/passwd
http://192.168.1.65/?page=../../../../../../../etc/passwd
http://192.168.1.65/?page=../../../../../../../etc/passwd
  • Yet, the following worked!
http://192.168.1.65/?page=php://filter/convert.base64-encode/resource=config

http://192.168.1.65/?page=php://filter/convert.base64-encode/resource=index

http://192.168.1.65/?page=php://filter/convert.base64-encode/resource=upload

  • Access the above pages to get base64 codes, decoded them to see the html adn understand the page logic and what is allowed or prohibited so we can circumvent instead of guessing. refe to abatchy.com link above
  • Using PHP filters to encode the .php file content to base64 string allows us to bypass it being executed by the server.

config file info

<?php  
$server      = "localhost";  
$username = "root";  
$password = "H4u%QJ_H99";  
$database = "Users";  
?> 
Indes file info
  • Since I got the user/pwd for mysql from config file, let me login with it. 
  • Try show tables & select * from users;
  • After looking around trying to find what type of hash was being used I realized that the passwords weren’t hashed at all, just base64 encoded again (note the == at the end of each password)

  • Create fake PNG file containing PHP code. GIF89 is to bypass the type check, more info here..

  • We will try to upload a PHP reverse shell as GIF file (php-reverse-shell-new.gif)
  • As soon as the file is uploaded, check the soruce of the page to get the md5hash name

  • start nc on kali of specif port that you added in the reversh shell
  • go back and do that one more time but before uploading the file, intercept the request using burp or temper data to modify cookies to " lang=../upload/a0f5d0df46973b02394476e49a87faa5.gif". when you hit OK or fwd in burp suite, it will get you a reverse session. One time, I go the reverse session but didnt see shell ($ prompt) and wasnt getting any response from any pwd or whoami command


  • use python -c 'import pty; pty.spawn("/bin/sh")' to spawn off terminal shell
  • if reverse shell worked as expected, you would have a shell by know with www access.
  • You can now su to kent and login and look around.
  • You will see a file under /kent which I havent been able to open or run at this time.
  • looked thru the walkthru for priv ecalatation
Now we need to exploit the path. This link will help you for linux-privilege escalation and Abusing users with ‘.’ in their PATH:

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation

http://www.dankalia.com/tutor/01005/0100501004.htm (info abt having . in the path and countermeasure)

but looking at the permissions of the file you’ll notice an s variable. What’s that you ask? We’ll after a little research, it turns out to be the directories setgid (set group id) bit is set and executable. But was unable to execute. But we now know that it needs cat to execute its contents. So cd into the tmp directory and echo “/bin/sh” > cat and chmod 777 cat to give it the right permissions. Turns out I needed to set the PATH correctly. So export PATH=.:$PATH fixed that.  Then execute msgmike again and bam we become user mike. 



cd to /home/mike and ls the directory we get msg2root. Hmm whats that? Again cating the file will only give you a screen full of garbage so using strings I was able to find out that it asks for some text, echo’s it back to the console and appends it to messages.txt. (strings prints out only the printable strings from a file). Looking at the file permissions, it belongs to root as well.
Since the file does not validate the input, using ;/bin/sh returns a shell and since the file executes as root, the shell is also root.





By changing the order of the PATH execution, listed at http://iotpentest.com/pwnlab-walk-through/, I was able to get root, but following specific steps..
append a shell to escalate my privilege to root---> ; /bin/sh (with semicolon. didn't work if semicolon is not added. I append a shell to escalate my privilege to root.)

Comments

Post a Comment

Popular posts from this blog

28 VM SecOS-1

Walkthru: Notes: A. https://c0d3g33k.blogspot.com/2017/01/secos.html [capture admin cookie using 127.0.0.1 in a code  test.html  with cross site scripting vulnerability,  CSRF attack, use exploit 37088 for priv escalation ] B. http://oldsmokingjoe.blogspot.com/2016/01/walkthrough-secos-1.html [ Hacking Node.js and MangoDB   ] c. http://oldsmokingjoe.blogspot.com/2016/01/walkthrough-secos-1.html [use wget to post data from CLI. Add other cmds to ping cmd using curl and wget] D. https://chousensha.github.io/blog/2015/02/04/pentest-lab-secos/ [SSH tunnel so we can access the ping site from Kali and dont have to pass via CLI] Notes: # Nmap 7.70 scan initiated Thu Jul 19 09:26:05 2018 as: nmap -sV -O -oN ../reports/192.168.117.6/192.168.117.6.nmap 192.168.117.6 Nmap scan report for 192.168.117.6 Host is up (0.00042s latency). Not shown: 998 closed ports PORT     STATE SERVICE VERSION 22/tcp   open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0) 8081/tc
1 comment
Read more

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon May 29 23:45:08 2017 URL_BASE: http://10.0.0.12/ WORDLIST_FILES: /usr/share/dirb/wordlists/com
1 comment
Read more

VM 19 : Trollcave: 1.2

Walkthru A. https://davidyat.es/2018/04/08/walkthrough-trollcave/ [stealing cookie but not working as expected. Getting info at the NC prompt but unable to reuse it to get admin web access] B. https://www.youtube.com/watch?v=gfh7wHhMlWg [ruby on rails site/vulnerabilities, dir traversal, login with public key, exploiting vulnerability and adding public keys as authorized_keys in victims computer ,exploiting calculator application/program which is running as root, passing another set of commands as parameters to calc to chown and reverse shell,  netcat without netcat: ] C. https://ohexfortyone.com/2018/03/trollcave-boot-to-root-vm-walkthrough-part-one.html [bash  script to enumerate all users   ] D. https://reedphish.wordpress.com/2018/04/29/trollcave-1-2-walkthrough/ [ linux/x64/meterpreter_reverse_tcp metasploit using an ELF based shell genereated from MSFVenom] E. https://vulniverse.blogspot.com/2018/04/trollcave-1.html [Text walktru of B] F. https://hackso.me/trollcave-1
Post a Comment
Read more