Since this VM came out many years ago, I’m assuming that this should be relatively easy. (edit:..Turns out it wasn’t that simple after all but loved it !!!)
Step 1 – Find out pWnOS IP
Since all devices are on my home Wifi network, I run a quick netdiscover scan. The pWnOS machine is at 192.168.1.8
Step 2 – Enumerate the IP to find out open ports, service version, OS etc..
This provides the following attack surface:
- Port 22 – OpenSSH 4.6p1 Debian 5build1
- Port 80 – Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
- Port 139,445 – smbd 3.0.26a
- Port 10000 – MiniServ 0.01 (Webmin httpd)
- OS – Ubunutuvm
Step 3 – Enumerating web ports
Exploiting a file disclosure vulnerability in Webmin application. Noted presence of user ID’s obama, osama, yomama
The shadow file is also accessible
Captured the files and using JTR to try bruteforce them in parallel. The credential for user vmware / (h4ckm3) was bruteforced using wordlist rockyou.txt after few minutes
Meanwhile on port 80
The parameter ‘connect’ is vulnerable to LFI
Using the credentials found to login using SSH and noticed that webmin was running with root privileges (That’s why was able to access shadow file)
Downloaded a perl reverse shell, renamed as .cgi and assigned it execute permissions
Executed using webmin and obtained root !!!!
Alternate method – I came across an alternate method as well. Using the webmin file disclosure vulnerability, we know that there are users vmware, obama, osama and yomama. Searching their home directories for authorized_keys file
The openssl version installed may be vulnerable to a bruteforce attack. Using the public key, the private key is found and used to login to the system.
Downloaded, compiled and executed a local privileges escalation exploit and obtained root !!