PwnLab (VulnHub)

Hello Hackers.

Today we’ll walkthrough of PwnLAB. PwnLab is very interesting vulnerable vm for beginners hackers and pentester who refresh their skills. In this vm we face different types of web attacks and learn more as possible.

Download Link : https://download.vulnhub.com/pwnlab/pwnlab_init.ova

Goal : Flag: /root/flag.txt

Difficulty: Low

Now lets start


 

Information Gather

Step 1 :

Search the target vm (PwnLab’s) IP in your network.

nmap 10.0.0.1/24

Now we have the target IP address now our next step is to scan entire ports and detect services name for future use. 😉

nmap -p- -sV 10.0.0.13

Now we know there is Apache server running on target system. That means the target system host any website on port 80(http service).

Scanning Vulnerability

STEP 2:

Go to browser and open http://10.0.0.13

” Time Is Precious ” always try to do more work in less time limit. So that’s y i put this site in Nikto scan for automatically vulnerability scan and i Do mannually finding vulnerability.

nikto -host 10.0.0.13

Nikto find some intresting files like config.php , login.php etc.

when i finding vulnerability in this site i found something intresting in url when i am visiting login page.

http://10.0.0.13/?page=login

In the url ?page=login there is chances of LFI(Local File Inclusion) and RFI(Remote File Inclusion) in page parameter.Lets try some File inclusion payload in page parameter.

  • http://10.0.0.13/?page=/etc/passwd
  • http://10.0.0.13/?page=../../../../../../../../../../../../../../../../etc/passwd
  • http://10.0.0.13/?page=/etc/passwd………………………………………
  • http://10.0.0.13/?page=/etc/passwd%00

 

Nothing Happen,  i searched many articles and go throught i found some articles about PHP filter . Using Filter you can exploit LFI vulnerability.

php://filter/convert.base64-encode/resource=

 

Bingo.. !! Using this technique i succeed to dump login.php page in base64 . Now copy all encoded text and fire up Terminal 🙂

echo “(base encoded text past here without braket)” | base64 -d 

 

now try  to dump config.php page.

Now i have database username and password.

NOTE : MY TARGET IP CHANGE 10.0.0.13 to 10.0.0.10

 

Exploiting MYSQL SERVER

STEP 3:

Remote login to target’s MYSQL database server on port 3306. in Step 2 i found database username and password and database name.

mysql -h 10.0.0.10 -u root -p

 

Now i have Users’s username and password, But password is encoded in base64 encryption. our first work is decode password in plain text.

 

STEP 4 :

Open Web Browser, Go to login page and try to login in kent account. In previous step i found kent usename with password in database entry.

After Successfully Login.

 

 

Here only one field where i can upload image files. Now i decide to upload metasploit php payload with in .gif extension.

my payload name is bdoor.gif . our next step is upload this to target and execute for reverse shell.

 

now i prepared handler for reverse connection.

now i directly open my payload in browser.

Nothing Happened no meterpreter session .

Here i m stuck for hours. so i decided to explore each and every thing in this website.

when i m exploring each and everything i found one more vulnerability in index.php page. In index.php cookie parameter(lang= ) is vulnerable to file inclusion vulnerability.

 

 

i setup my burp suite and set COOKIE parameter lang=../upload/2526937eb190f3a8cd35c85ca133f225.gif

and forward to target.

when its execute. i got meterpreter session

ahhhh…

Gaining Root privilege

STEP 5:

Now i have meterpreter session. Now i change go for shell and check privilege.

 

as i have 3 different usename and password. in step 2 we found these username and password in database. lets login and look further hints.

when i diging kent home directory. Kent home Directory is empty. thats why i switch to kane and check kane’s home directory here i found two file cat , msgmike .

when i execute cat command on cat file this file give me hint to solve this puzzle.

and i create the cat command and export the path. and after this i execute the msgmike file and i got new shell.

after Getting Mike’s privilege. i browse the mike home directory. /home/mike 

in mike’s home directory one file that is msg2root

 

msg2root is executable binary file. Using debugger we can analyze this binary. here i m using strings command to analyze .

here something interesting found . /bin/echo %s >>> /root/messages.txt  .

when i m execute msg2root he prompt me Message for root :

 

when i put some random text nothing happen. But when i try to command injection its happen and me the result. you can see in above picture.

 

 

This Post Has One Comment

  1. Raju

    You are just too brilliant …. Nothing to say….
    May Allah bless you always…..

Leave a Reply