VulnHub: pWnOS: 2.0 (Pre-Release)

Initial Foothold

  1. Network discovery

My target is 10.10.10.100.

2. Port scan

3. OS and service scan

4. Vuln scan

There’re directories on HTTP site as shown.

Service Enumeration

  • 22/tcp OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)

Connect to SSH

No any banners appear.

  • 80/tcp Apache httpd 2.2.17 ((Ubuntu))
  1. Nikto scan

There’re sub-directories as listed.

2. Further directory scan w/ gobuster

3. Access the site

Note the email ‘admin@isints.com’ in case I need it.

Register the site.

Follow activation link

Login, nothing comes up.

However if you supply SQL injection, you also get admin panel, but It’s nothing anyway

Here’s my list of tested query

Another interesting directory is /blog

Viewing page source revealed that It’s Simple PHP Blog 0.4.0.

Exploitation

  1. Search for existing exploit, I came across this script.

Look up scipt number and copy from searchsploit

Copy command

Run the script for testing

Now I have the usage.

Since I want shell, my choice is number 1

cmd.php is created and stored in http://10.10.10.100/blog/images/

Access the path

Since I created the cmd.php, but I don't know how to use. So I looked up in the code and there’s GET parameter, cmd.

Try the script

It’s worked.

2. Get the reverseshell

Create listener on port 443

I used this cheat sheet.

The method is intercept the resuest w/ Burp Suite and send to the repeater.

Copy command and encode to URL w/ Burp Suite Decoder

Paste the encoded command

After my tries, I succceded w/ this command.

Privilege Escalation

  1. Directory Explore

There’s many directories to explore as listed:

After Exploring I came across some files in /var/www and /var

Here’re commands.

I came across mysqli_connect.php

It’s a credential of MySQL.

I came across another mysqli_connect.php

It’s another credential of mysql.

Before use it to access MySQL. I used to login as root in case there’s a re-using password.

Failed!

Another one

Now I’m root.