VulnHub: pWnOS: 2.0 (Pre-Release)

5 min readApr 27, 2021

Initial Foothold

  1. Network discovery
nmap -sn

My target is

2. Port scan

nmap -Pn -Pn -p1000-

3. OS and service scan

nmap -A -p22,80

4. Vuln scan

nmap --script vuln -p22,80

There’re directories on HTTP site as shown.

Service Enumeration

  • 22/tcp OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)

Connect to SSH


No any banners appear.

  • 80/tcp Apache httpd 2.2.17 ((Ubuntu))
  1. Nikto scan
nikto -h

There’re sub-directories as listed.

2. Further directory scan w/ gobuster

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u -x php,txt,html,sh,cgi,bak -q

3. Access the site

Note the email ‘’ in case I need it.

Register the site.

Follow activation link

Login, nothing comes up.

However if you supply SQL injection, you also get admin panel, but It’s nothing anyway

Here’s my list of tested query

1' or 1=1--   -> failed
1' or 1=1-- - -> failed
1' or 1=1--+ -> failed
1' or 1=1# -> succeeded

Another interesting directory is /blog

Viewing page source revealed that It’s Simple PHP Blog 0.4.0.


  1. Search for existing exploit, I came across this script.

Look up scipt number and copy from searchsploit

Copy command

searchsploit -m 1191

Run the script for testing


Now I have the usage.

Since I want shell, my choice is number 1

./ -h -e 1

cmd.php is created and stored in

Access the path

Since I created the cmd.php, but I don't know how to use. So I looked up in the code and there’s GET parameter, cmd.

Try the script

It’s worked.

2. Get the reverseshell

Create listener on port 443

rlwrap nc -lvp 443

I used this cheat sheet.

The method is intercept the resuest w/ Burp Suite and send to the repeater.

Copy command and encode to URL w/ Burp Suite Decoder

Paste the encoded command

After my tries, I succceded w/ this command.

Privilege Escalation

  1. Directory Explore

There’s many directories to explore as listed:


After Exploring I came across some files in /var/www and /var

Here’re commands.

cd /var/wwwls -la

I came across mysqli_connect.php

cat /var/www/mysqli_connect.php

It’s a credential of MySQL.

cd /var/ls -la

I came across another mysqli_connect.php

cat /var/mysqli_connect.php

It’s another credential of mysql.

Before use it to access MySQL. I used to login as root in case there’s a re-using password.

su rootpassword: goodday


Another one

su rootpassword: goodday

Now I’m root.