pWnOS 2.0 Walkthrough

I setup this VM using vmware, creating a lan segment and putting both my kali box and the Vuln vm on it. I then issued “ifconfig eth0 10.10.10.125 netmask 255.255.255.0” on kali

I then ran an nmap scan

nmap -sV -Pn -vv -T4 –A -p- 10.10.10.100 –script=auth,brute,discovery,exploit,vuln -oN 10.10.10.100nmap.scan

The scan found SSH, a webserver, and some sites to check out

Wasn’t much more, so I browsed to the webserver to found a webapp

I clicked through the pages, and got to a login site, so I tried some basic sqli “‘ or 1=1– ” and it seemed to log me in!

Since the site was vulnerable to sqli, I intercepted a request in burp, saved it to a file “login4real” and ran a sqlmap dump

Sqlmap was able to identify an injection point!

It found some usernames and passwords, but I wasn’t able to do much about cracking the hashes

 

I wasn’t able to do much with this info, so I moved away from mysql (I suppose I could have attempted to create a php reverse listener via “into dumpfile”… )

I enumerated the website more by running dirbuster, which found some interesting pages

I checked a couple of the sites, then landed on what seemed like another webapp, /blog/

I clicked around on the site and tried some basic passwords on the login page, but no go…

I then decided to run a nikto scan, which found some additional pages

as well as a potential config file 🙂

I browsed to the config.txt sire and found some files of interest

config.txt

password.txt

I wasn’t sure how to use the config file, and I tried cracking the password with various tools to no avail. I looked more closly at the new web app to determine what was running on the backend. I selected “view page info” in Firefox and found it was running Simple PHP Blog 0.4.0

I looked up associated exploits

And downloaded loaded the first, a perl sciript to file “simplephp.pl”

I started with -e 1, this created a cmd.php file which should have allowed me to enter commands

The file even uploads to the dir mentioned in the exploit

Although the file uploaded, I couldn’t get the page to work. I then used the exploit to create a new user on the site, and was then able to login!


I noticed an upload image link, so I clicked it, maybe I could upload a reverse shell with some workarounds

I started with the php reverse shell from pentestmonkey with no modifications to the extension or contents. Surprisingly the file uploaded! I browsed to /blog/images to confirm

I opened a netcat listener on my Kali box, and clicked on the php-reverse-shell.php link to get a shell!

I was user “www-data” so I had to look for a way to escalate privileges. I tired to check vulnerabilities with the kernel, but nothing jumped out at me.. I looked at folder/file permissions, but again nothing was a good target at first glace. I looked around the file system and found some mysql files in the /var dir

I also found another similar file in the /var/www/ dir

I know this was mysql usernames and passwords, but it’s all I had at the time. I tried the two different passwords for the root user..

And we got root! I looks like the admin reused his mysql password for the local root password. Something that’s it far to typical…