Today we’ll walkthrough of PwnLAB. PwnLab is very interesting vulnerable vm for beginners hackers and pentester who refresh their skills. In this vm we face different types of web attacks and learn more as possible.
Download Link : https://download.vulnhub.com/pwnlab/pwnlab_init.ova
Goal : Flag: /root/flag.txt
Now lets start
Step 1 :
Search the target vm (PwnLab’s) IP in your network.
Now we have the target IP address now our next step is to scan entire ports and detect services name for future use. 😉
nmap -p- -sV 10.0.0.13
Now we know there is Apache server running on target system. That means the target system host any website on port 80(http service).
Go to browser and open http://10.0.0.13
” Time Is Precious ” always try to do more work in less time limit. So that’s y i put this site in Nikto scan for automatically vulnerability scan and i Do mannually finding vulnerability.
nikto -host 10.0.0.13
Nikto find some intresting files like config.php , login.php etc.
when i finding vulnerability in this site i found something intresting in url when i am visiting login page.
In the url ?page=login there is chances of LFI(Local File Inclusion) and RFI(Remote File Inclusion) in page parameter.Lets try some File inclusion payload in page parameter.
Nothing Happen, i searched many articles and go throught i found some articles about PHP filter . Using Filter you can exploit LFI vulnerability.
Bingo.. !! Using this technique i succeed to dump login.php page in base64 . Now copy all encoded text and fire up Terminal 🙂
echo “(base encoded text past here without braket)” | base64 -d
now try to dump config.php page.
Now i have database username and password.
NOTE : MY TARGET IP CHANGE 10.0.0.13 to 10.0.0.10
Exploiting MYSQL SERVER
Remote login to target’s MYSQL database server on port 3306. in Step 2 i found database username and password and database name.
mysql -h 10.0.0.10 -u root -p
Now i have Users’s username and password, But password is encoded in base64 encryption. our first work is decode password in plain text.
STEP 4 :
Open Web Browser, Go to login page and try to login in kent account. In previous step i found kent usename with password in database entry.
After Successfully Login.
Here only one field where i can upload image files. Now i decide to upload metasploit php payload with in .gif extension.
my payload name is bdoor.gif . our next step is upload this to target and execute for reverse shell.
now i prepared handler for reverse connection.
now i directly open my payload in browser.
Nothing Happened no meterpreter session .
Here i m stuck for hours. so i decided to explore each and every thing in this website.
when i m exploring each and everything i found one more vulnerability in index.php page. In index.php cookie parameter(lang= ) is vulnerable to file inclusion vulnerability.
i setup my burp suite and set COOKIE parameter lang=../upload/2526937eb190f3a8cd35c85ca133f225.gif
when its execute. i got meterpreter session
Gaining Root privilege
Now i have meterpreter session. Now i change go for shell and check privilege.
as i have 3 different usename and password. in step 2 we found these username and password in database. lets login and look further hints.
when i diging kent home directory. Kent home Directory is empty. thats why i switch to kane and check kane’s home directory here i found two file cat , msgmike .
when i execute cat command on cat file this file give me hint to solve this puzzle.
and i create the cat command and export the path. and after this i execute the msgmike file and i got new shell.
after Getting Mike’s privilege. i browse the mike home directory. /home/mike
in mike’s home directory one file that is msg2root
msg2root is executable binary file. Using debugger we can analyze this binary. here i m using strings command to analyze .
here something interesting found . /bin/echo %s >>> /root/messages.txt .
when i m execute msg2root he prompt me Message for root :
when i put some random text nothing happen. But when i try to command injection its happen and me the result. you can see in above picture.