Pwnlab init Write-up [ Vlunhub ]

Hello. Good Morning..
Today i write how to solve the Pwnlab init boot2root challenge.I got many new experience form this box and want to share my knowledge to my buddies. Let’s start it

Scan my network with netdiscover

I found the VM Machine name CADMUS COMPUTER SYSTEMS and got the target IP address.


After get the IP( we need to scan the port of the Target with nmap

nmap -sV

We see the result httpd and mysql are running on the Target IP(

Call the browser and put the IP in the url. Yes.It is running web service


Now i check the web process and system flow of the site.

I feel that it may be Local File Inclusion(LFI) vulnerable.Test with /etc/passwd or /etc/passwd%00 is not working.Check again the file and try to read the source code with php://filter


After Decoding the base64 format i see the upload.php source code and notice there are two option to filter the upload process.
1.Check the image extension.
2.Check the Mime Type

We need to bypass it. 😛
I try to read the source code all of the files and see the interesting file(config.php)

Now we got the important part of the database connection information. Yeah! Let’s try to connect with mysql (we already know port 3306 tcp are open)
Open Terminal and type the following command

mysql -h -u root -p

-h hostname
-u username
-p password

Finally we got the user login information from the users table form database;


password are encode with base64 format. we need to decode it and login with this information.

After login the box and i see up upload form. So try to upload normal gif file on the server.

Yes. it is working….

now time to upload php shell on the server. default php file we can’t upload. but we know two option to bypass(already said above)
Change the Mime type with GIF89; and change the extenstion php to gif is enough for me.

I use burp to check the process of the flow.Yes file upload success but nothing happen.

Need to check another vulnerable to execute the php shell.found again LFI vulnerable on the index.php for php include function with cookies name lang.

After that i change the path and parameter(lang) in the burp and repeat again!

it working… ls linux command are showing in the result.

So let’s try to download php 404 shell file on target server I use 404 php shell it is easy to use with web interface(GUI).

now use to wget command to download the shell and change the output format with 133720.php

wget -O 133720.php

it not working well we need to decode with hex type.

Afte downloading the shell on the server. we got the shell

Result will be show as NOT FOUND. but it can login with password. 😀 I use password 133720 and login.

We need to use back connect to join with Server.First open port in our IP and connect from the server with open port.

After connect we get the connection with server in terminal.

But we need to spawn shell as a server. we can use pythong code for it.

echo "import pty; pty.spawn('/bin/bash')" > /tmp/

Change username again with the su and check the directories and files. cat doesn’t have path. {system(‘cat /home/mike/msg.txt’)}

Result show another user mike. try to change su mike but password are incorrect.

Now we need to exploit the path. This link will help you for linux-privilege escalation and Abusing users with ‘.’ in their PATH:


After exploit we got as mike user. go to mike folder and see new file are showing message2root as root users.we need to exploit this file.

strings message2root command are show you the root user read the user input with no validation. so we can use two command as one command join with semi comma(;)


it show hello and list directory. exploit code will be hello;/bin/sh

We got again the euid as root user.  Bango!

Now go to /root directory and read the flag.


Finally We see the message successfully…  Thanks for reading..


Video on Youtube

#Creatigon #133720 #boot2root #PwnLab #Vulnhub