pWnOS 1.0 Boot2Root VM Walkthrough


PwnOS1.0 is boot2root deliberate vulnerable virtual machine designed by @Chronicoder for n00bs passionate about learning how system and application vulnerabilities lead to compromise. So, the goal is to root VM by exploiting found vulnerabilities and get the flag at /root/flag.txt. Reading /root/flag.txt is benchmark showing system is compromised successfully.

Download Link:,158/

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in bridge mode
  • pWnOS VM in bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap
  • hashcat

Vulnerabilities Exploited:

  • Local File Inclusion
  • Webmin Arbitrary File Disclosure
  • Weak Passwords
  • OpenSSL Predictable PRNG (CVE-2008-0166)
  • Linux Kernel 2.6.17 < – ‘vmsplice’ Local Privilege Escalation (2)




Target VM IP Address:



nmap -p- -A -oX nmap-pwnOS.xml --webxml

Nmap findings:

1- Target box is linux machine.

2- SSH server is enabled.

3- Apache server is listening on port 80.

4- webmin httpd version 0.01 is enabled on default port 10000

Exploit Path 1: Hacking website

Explore website in browser to find vulnerability for exploitation


Found file inclusion vulnerability  in connect parameter of query string. LFI is exploitable.


usernames found: root, vmware, obama, osama, yomama

unfortunately, /etc/shadow, /var/log/apache2/access.log files are not accessible through website. So, can not proceed further using this path. RFI is URL file-access is disabled in the server configuration

Lets explore webmin.

Exploit Path 2: Webmin exploit

With nmap, we knew version of webmin that seems old. Lets search and use exploit.


We can Read arbitrary files with webmin exploit More critical thing is, we can read any file with root privileges.


crack linux passwords with hashcat

hashcat -m 500 -a 0 -o cracked.txt --force hash.txt /usr/share/wordlists/sqlmap.txt


vmware passowrd is cracked.

ssh access is granted


Epxloit Path 3: SSH autorized keys

Since, we already know usernames on server. Lets try to read ssh authorized keys for known users.


since, authorized keys are accesible, lets try exploit

To use exploit, we must download database mentioned in exploit prior to execute exploit from this location and decompress.

#tar vxjf 5622.tar.bz1
search ssh authrozed keys through this database


login with keys

ssh -i dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@


Privilege Escalation

searchsploit linux vmsplice

We already have secure shell access for vmware and obama user accounts on target box. Lets upload exploit code 5092.c on server, compile and execute exploit.


Congrats… ! We are root!


This was excellent boot2root VM. I learned a lot and thanks to @Chronicoder for putting effort designing such a great VM for students like me to learn and practice security concepts.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s