Rooting pWnOS 2.0 Walkthrough


pWnOS 2 is boot2root virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM cutom network with subnet range
  • 0 VM custom network with subnet Static IP address of pWnOS2.0 is

Kali Linux network settings

pwnOS network settings

Tools Used:

  • Kali Linux VM
  • Browser
  • nc
  • nmap
  • burpsuite

Vulnerabilities Exploited:

  • Sql Injection
  • Shell upload with sql injection, database misconfiguration.
  • System misconfiguration, reuse of root password.
  • Linux Kernel 2.6.32 < 3.x (CentOS 5/6) – ‘PERF_EVENTS’ Local Privilege Escalation


Target VM IP Address:



#nmap -p- -A -oX nmap-pwnOS2.xml –webxml

Nmap findings:

  • Target OS is between Linux 2.6.32 – 2.6.39
  • OpenSSH 5.8p1 is installed on port 22
  • Apache httpd 2.2.17 is installed on port 80

Exploit path 1 for shell: SQL Injection

Lets explore website in browser.

Login page, lets check for sql injection.

See! we found sql injection. Also note down absolute path of website on server as ‘/var/www/login.php’. Using sql injecion, we can try uploading webshell using this disclosed local path.

Know time for burpsuite to exploit sql injection.

After database enumeration, we found:

database: ch16

table: users

columns for user table:user_id, first_name, last_name, email, pass, user_level, active

Lets crack hash for Dan, and gess what, i found cleartext password for given hash at Cleartext password is killerbeesareflying.

Alfter logging in with there is nothing much we can do except seeing WAF warning message.

Lets analyse further to find another way. We can read local files. So, there is username dan on local machine.

Lets upload shell using sql injection


confirm, if webshell is uploaded successfully. Confirming in burpsuite.

Confirming shell is uploaded in browser.


Yes! webshell is uploaded successfully.

Next step to find a writable directory on server. After exploring i found /var/www/blog/config directory writable by www-data

Time to get interactive shell. Lets see, if nc is available on server.

nc is available.

lets upload php_reverse_shell.php by pentest monkey. You can find this webshell in kali linux /usr/share/webshells/php/php-reverse-shell.php

Configuring ip:port to kali linux attacking machine

Transfer reverse shell to target vm.  8888 > /var/www/blog/config/rshell.php&

confirm rshell is uploaded

Listening for php-reverse-shell netcat shell

open rshell in browser to execute shell.

and we got shell

break jail shell

Exploit path 2 for Shell: Exploiting multiple vulnerabilities in Simple PHP Blog

Lets check for other directories on server with dirb.


With nikto, we found a directory “blog”

This is “Simple PHP Blog 0.4.0”

lets google for any available exploit for “Simple PHP Blog 0.4.0”

exploit link

or use searchsploit to find exploit for simple php blog

Lets try Multiple Remote exploit

lets upload cmd.php

./ -h -e 1

lets explore shell in browser

We can execute commands. Again, we can upload reverse shell in php and get interactive shell for nc as we did above. I am not going to repeat same. Lets go for pivileges escalation.

Privilege Escalation 1: Misconfiguration

we found db root username and password in mysqli_connect.php file at /var/ directory


lets reuse these credentials for secure shell

Congrats! We are root!

Privilege Escalation 2: Kernel exploit

lets check kernel version

there is perf_events exploit for this kernel that works.

I uploaded this exploit using nc. Know, lets try this exploit

Congrats! We are root!


This is great Boot2Root VM. Rooting this VM i learned and enjoyed a lot.


2 thoughts on “Rooting pWnOS 2.0 Walkthrough

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s