PwnLab: Init Walkthrough

Welcome.

This is a CTF (Capture The Flag) challenge but the ultimate goal is to get root access to the VM (Virtual Machine). I am using VMWare Workstation Pro 12 and my attacker machine is Parrot OS 3.4.1. I am on bridged network so I am directly connected to the router by my VM.Hope everyone knows how to setup a lab, and if not please search on Google on How to Setup A VM on VMWare, there are many tutorials available on the internet.If you want any information or want to download the PwnLab: Init lab. So I just boot up my VMs.Here my IP address for eth0-192.168.16.104 and for eth1-192.168.16.108.

1.png

After knowing the IP I start NMAP scan. The same can be done by NETDISCOVER.

23

We can see the NMAP scan is more detailed as it also provides us with the port state. As we can see from 1st image that port 80 is open that means a site is hosted on it.As i open it in my browser I can see a website hosted on the IP.

4.png

As we can see there are 3 options but there is nothing useful in either of the 3 pages , there isn’t anything interesting in the source code too. Also I noticed that to upload anything we have login first , but as we don’t  have any login details we will leave it at that.Starting a more detailed NMAP scan and NIKTO to find something more interesting.

56NMAP scan didn’t return any interesting results but I noticed something unusual in  the NIKTO scan results and that is config.php , but opening it in browser returns a blank page. I was hoping for LFI vulnerability in the web page hosted but all my efforts were in vain. So I decided to search the web for ways to bypass the LFI protection and I came across another blog by Aaditya Purani. So i injected the payload and got the following data.

7

It looked like a base64 string so I quickly decoded and got the following result.

8.png

Looks like the credentials to some database so I quickly head over to extract the database using MySql commands.

(Note : I turned of my machine in between so thats why my IP Addresses will change in the following images. Sorry for the inconvenience caused. Attacker machine IP : eth0-192.168.16.105 , eth1-192.168.16.102). The victim machine IP : 192.168.16.104

9.png

After getting the table containing the credentials , I noticed that all the passwords were BASE64 strings , so I headed over to base64decode.org to decode the strings but the same can be done by terminal also: 10.png

The results are for KENT , MIKE and KANE respectively. Then I used the credentials to login from the webpage to upload an image fi

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s