pWnOS: 1.0

Since this VM came out many years ago, I’m assuming that this should be relatively easy. (edit:..Turns out it wasn’t that simple after all but loved it !!!)

Step 1 – Find out pWnOS IP

Since all devices are on my home Wifi network, I run a quick netdiscover scan. The pWnOS machine is at 192.168.1.8

Step 2 – Enumerate the IP to find out open ports, service version, OS etc..

This provides the following attack surface:

  • Port 22 – OpenSSH 4.6p1 Debian 5build1
  • Port 80 – Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
  • Port 139,445 – smbd 3.0.26a
  • Port 10000 – MiniServ 0.01 (Webmin httpd)
  • OS – Ubunutuvm

 

Step 3 – Enumerating web ports

Exploiting a file disclosure vulnerability in Webmin application. Noted presence of user ID’s obama, osama, yomama

The shadow file is also accessible

Captured the files and using JTR to try bruteforce them in parallel. The credential for user vmware / (h4ckm3) was bruteforced using wordlist rockyou.txt after few minutes

Meanwhile on port 80

The parameter ‘connect’ is vulnerable to LFI

Using the credentials found to login using SSH and noticed that webmin was running with root privileges (That’s why was able to access shadow file)

Downloaded a perl reverse shell, renamed as .cgi and assigned it execute permissions

Executed using webmin and obtained root !!!!

 

Alternate method – I came across an alternate method as well. Using the webmin file disclosure vulnerability, we know that there are users vmware, obama, osama and yomama. Searching their home directories for authorized_keys file

The openssl version installed may be vulnerable to a bruteforce attack. Using the public key, the private key is found and used to login to the system.

Downloaded, compiled and executed a local privileges escalation exploit and obtained root !!

 

Leave a Reply

Your email address will not be published. Required fields are marked *