Tuesday, December 11, 2018

pWnOS 1.0


- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine pWnOS 1.0

pWnOS 1.0 can be downloaded from here:


- Once downloaded pWnOS 1.0 and extracted with VMware:


- Discovering the IP of pWnOS 1.0:

- Scanning ports with Nmap:

- Launching Nikto against the web server at port 80:

- Going to folder /php, detected by nikto:

- Clicking phpMyAdmin:

- Now, launching dirb:

- Connecting to folder /index:

- Clicking Next:

- Clicking Please Help!:


- There are several ways of exploitation for this vulnerable machine. Let's study some of them:

3.1 - File Inclusion

Going back to index1.php when entering false instead of true there is a Warning message about function include():

- This leads to think about a possible File Inclusion vulnerability, what actually helps to achieve the file /etc/passwd:

3.2 - Webmin exploitation

- Going back to port 10000, according to Nmap's output Webmin is running with MiniServ 0.01:

- Looking for Webmin exploits:

- Copyng 2017.pl to the local working directory:

- Running 2017.pl without parameters:

- Getting /etc/passwd:

- Getting /etc/shadow:

3.3 - PRNG Brute Force SSH

- Same exploit than at 3.2 can be used again, in combination with these two other exploits (either Perl or Python):



- According to the instructions, first we must download the exploit and store it:

- Extracting, we find the precalculated SSH keys:


- Going ahead with the instructions (in our case we are using a Perl script, instead of Python):

- Using the script 2017.pl from point 3.2 with user obama (obviously same thing could be done with the rest of the users vmware, osama and yosama) to get the file authorized_keys:

- Scan the public key by grepping authorized_keys from obama user to folder /rsa/2048:

- The SSH key for user obama is found:

- SSH-ing for user obama, providing the key, we achieve a low privileged remote shell:

3.3 - File disclosure with Metasploit

- CVE-2006-3392 describes a vulnerability associated with Webmin:


Metasploit is able to exploit the vulnerability CVE-2006-3392:


- Launching Metasploit and using exploit auxiliary/admin/webmin/file_disclosure:

- Setting option for RHOST:

- Setting option for /etc/passwd and running:

- Setting option for /etc/shadow and running:

3.4 - Path / Directory traversal attack

- Following instructions from the CVE-2006-3392 vulnerability description about using "..%01" sequences, we can also achieve /etc/passwd and /etc/shadow by launching a Path or Directory traversal attack:


- Path traversal attack for /etc/passwd:

- Path traversal attack for /etc/shadow:


- John The Ripper helps us to decrypt passwords by combining /etc/passwd and /etc/shadow:

- First, let's store /etc/passwd at file p and /etc/shadow at file s.

- Now, unshadow command takes p and s and outputs unshadowed file u:

- It is time for john to work over file u, applying the wordlist rockyou.txt

- After some minutes we got the password for user wmware.

- SSH-ing with credentials vmware:h4ckm3 we get a low privilege remote shell:

- Unfortunately user vmware has no sudoer privilege:


- Let's follow to ways for Privilege Escalation.

5.1 - Webshell

Copying to the local working folder a Perl reverse shell:

- Renaming to shell.cgi sot that it can be run as CGI script:

- Adapting to our needs shell.cgi:

- Transferring from Kali to pWnOS 1.0 (folder /tmp):

- Copying from /tmp to /home/vmware:

- Setting run permissions for shell.cgi:

- Setting a Netcat listener at Kali:

- Running shell.cgi:

- As a consequence we get a root privilege shell:

5.2 - Kernel exploit

- Another way of Privilege Escalation would be taking advantage of the outdated kernel version:

- Exploit Database holds exploits for Local Privilege Escalation about outdated Linux Kernel version, for instance this one would be valid because 2.6.17 < 2.6.22 <


- Downloading to working folder and naming vmsplice.c:

- Setting execution permissions:

- Transferring from Kali to pWnOS 1.0 (/tmp folder):

- Compiling:

- Running the exploit, it is successful: