Tuesday, 9 August 2016

PwnLab init challenge


"Wellcome to "PwnLab: init", my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read de flag."

So, let's play with it
Nmap scanning phase
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          40309/udp  status
|_  100024  1          42225/tcp  status
3306/tcp  open  mysql   MySQL 5.5.47-0+deb8u1
| mysql-info:
|   Protocol: 53
|   Version: .5.47-0+deb8u1
|   Thread ID: 38
|   Capabilities flags: 63487
|   Some Capabilities: Speaks41ProtocolOld, Support41Auth, LongPassword, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsCompression, IgnoreSigpipes, InteractiveClient, ODBCClient, SupportsTransactions, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, FoundRows, ConnectWithDatabase, LongColumnFlag
|   Status: Autocommit
|_  Salt: BWnFSNkP0;xm:veu@|p=
42225/tcp open  status  1 (RPC #100024)
As always let's start from web application.
Default Web page looks like a some kind of administrator panel.

We must be logged in if we want to upload some file. Let's try do something with page parameter.

Great! So, le'ts try read something like a config.php file.

Excellent! We have retrieved MySQL credentials! Let's verify it.

Great! We have got three credentials - probably for our web application.
These passwords looks like base64 encoded string.
Valid credentials:
Before logging as one of the three users, let's try examine how looks upload.php file.
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
        <form action='' method='post' enctype='multipart/form-data'>
            <input type='file' name='file' id='file' />
            <input type='submit' name='submit' value='Upload'/>
if(isset($_POST['submit'])) {
    if ($_FILES['file']['error'] <= 0) {
        $filename  = $_FILES['file']['name'];
        $filetype  = $_FILES['file']['type'];
        $uploaddir = 'upload/';
       $file_ext  = strrchr($filename, '.');
        $imageinfo = getimagesize($_FILES['file']['tmp_name']);
        $whitelist = array(".jpg",".jpeg",".gif",".png");

        if (!(in_array($file_ext, $whitelist))) {
            die('Not allowed extension, please upload images only.');

        if(strpos($filetype,'image') === false) {
            die('Error 001');

        if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] !=      'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
            die('Error 002');

        if(substr_count($filetype, '/')>1){
            die('Error 003');

        $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

        if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
            echo "<img src=\"".$uploadfile."\"><br />";
        } else {
            die('Error 4');

OK, we can see that we have to use gif,jpg, jpeg and png extensions. I was trying a lot upload some PHP code, but without success... Probably upload functionality has been created correctly (secure).
Let's examine index.php file (I don't have more ideas).
//Multilingual. Not implemented yet.
if (isset($_COOKIE['lang']))
// Not implemented yet.
<title>PwnLab Intranet Image Hosting</title>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
    if (isset($_GET['page']))
        echo "Use this server to upload and share image files inside the intranet";
We can see that lang is handled via include method, so maybe there is LFI?
BINGO! I have removed PHPSESSIONID parameter and add lang=../../../../../../../etc/passwd.

 Great! So, we can upload png file with injected PHP script and run using LFI and lang Cookie!

Excellent! We have got limited shell. So, let's try retrieved credentials to up our privileges.
BINGO! We can do that!


Very good. TRY HARDER!

Game over!