Friday, June 15, 2018

PwnLab: init


PWNLAB: INIT

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is the study of the hacking process for the vulnerable machine PwnLab: init

PwnLab: init can be downloaded from here:

https://www.vulnhub.com/entry/pwnlab-init,158/


- Once downloaded and extracted with VirtualBox:





2 - ENUMERATION


- Using netdiscover to find the presence of host 192.168.1.21 that corresponds to the vulnerable machine PwnLab: init






- Scanning with nmap:




- Launching nikto against the host we find two interesting files, the first one config.php may contain a database credentials:







- dirb scans the website:






- Connecting with the browser:




- There is a login page:








- There is also an upload page that can be use once logged in:




3 - EXPLOITATION


3.1 - Local File Inclusion

- At this point, let's try an LFI attack by using curl and php://filter to find out data inside the web pages.

- About PHP filters:

http://php.net/manual/en/wrappers.php.php




- Following directions in these examples:

https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/

https://diablohorn.com/2010/01/16/interesting-local-file-inclusion-method/

'... This forces PHP to base64 encode the file before it is used in the require statement. From this point its a matter of then decoding the base64 string to obtain the source code for the PHP files ..."

- Starting with login page:




- Same thing for upload:






Same thing for index:

- Same thing for config:




- Decoding the outputs with:

https://www.base64encode.org/




- config.php gives us the credentials for a database:




- login.php refers to the previous database and the file config.php:




- upload.php tells us that the uploaded files must be images of extensions .jpg, .jpeg, .gif,.png and MIME content-type:







- index.php reveals the presence of the parameter lang as a cookie with the include function, what could carry crafted content for our purposes:






3.2 - Exploring the database

- Let's exploit the database using credentials revealed at config.php:




- Searching for databases:





- Using Users:




- Showing the tables:




- Selecting from users we discover the existance of the users kent, mike, kane and their passwords encoded with Base64:




- Decoding the passwords:

https://www.base64encode.org/




3.3 - Uploading a PHP script to achieve a shell

- Now let's use the credentials to access the upload page:









- Let's try to upload the php-reverse-shell.php script provided by Kali. 

- Copying it to a working directory:




- Renaming with a .gif extension:




- Opening and adapting the exploit image.gif to our needs.

- On the one hand:





https://en.wikipedia.org/wiki/Magic_number_(programming)
https://en.wikipedia.org/wiki/GIF


- On the other hand:




- Using kent to login:




- Uploading image.gif:








- Viewing the source we see that the file is stored as a md5 hash:




- Crafting the lang cookie by including the image:




- Opening Burp and intercepting a new upload:







- Now, the PHPSESSID cookie must be erased and replaced with the crafted one carrying the reverse shell script stored at /upload:







- Setting a listening session with netcat:




- The moment we Forward the request a limited shell is successfully achieved:












4 - PRIVILEGE ESCALATION

- First, let's start by importing a better shell:



- Checking /home directory:




- Changing to kane:






- There is a file called msgmike:




- Trying to read its content, we discover that it is an executable file:







- Running ./msgmike it reveals the presence of another msg.txt at mike's home folder, but the cat command fails to find and open it because is called without full path:




- The explanation could be that there is SUID (Set Owner User ID) on the file msgmike for access permission, so owner permissions about the file would be achieved when executing the program:

https://www.linux.com/blog/what-suid-and-how-set-suid-linuxunix

- A solution is to create a new cat, modifying the environment variable PATH (changing order of execution) for the new cat so that mike can execute /bin/bash


- Following these directions:

http://www.dankalia.com/tutor/01005/0100501004.htm















- Now, the PATH has changed because it has been exported to .:




- Running ./msgmike we have access to user mike due to the bit SUID:




- There is another executable file msg2root (with SUID for root) at mike's home folder:








- Running ./msg2root and passing the message /bin/sh a root shell is achieved:







- Let's notice that euid=0(root), being euid the Efective User ID.


5 - CAPTURING THE FLAG

- Going to the root folder there are two text files: