PWNOS: 2.0 (PRE-RELEASE) Walkthrough
pWnOS v2.0 is a Virutal Machine Image which hosts a server to pratice penetration testing. It will test your ability to exploit the server…
pWnOS v2.0 is a Virutal Machine Image which hosts a server to pratice penetration testing. It will test your ability to exploit the server and contains multiple entry points to reach the goal (root). It was design to be used with WMWare Workstation 7.0, but can also be used with most other virtual machine software.
For set-up:
Enumeration
Possibilities:
- Get some usernames and bruteforce though SSH.
- Possible CMS with vulnerability.
- Website with SQLi or LFI or RCE.
More Enumeration…
📌 OS: Debian Ubuntu
- SSH
Possible User Enumeration.
2. HTTP
- Manual Testing (3-steps)
http://10.10.10.100/activate.php?x=test%40gmail.com&y=c0a4235e2ee6cff3a543dcfdfb6a3e2c
- Nikto Scan
http://ha.ckers.org/weird/rfi-locations.dat
- Gobuster
10.10.10.100/blog/comments.php?y=11&m=05&entry=entry110509–191340
Finding POI (Point Of Intrusion)
The blog version is Simple PHP Blog 0.4.0
Using Metasploit…
Got the reverse shell…..
🤓
Privilege Escalation
Use the following the find PHP — MySQL pwd:
- find / -type f -exec grep -ln “sql.connect” {} \; 2>/dev/null
- find / -type f -exec grep -l -n “DB_PASSWORD” {} \; 2>/dev/null
Credentials:
- Dan:c2c4b4e51d9e23c02c15702c136c3e950ba9a4af
After decrypting,
Dan:killerbeesareflying
However, that did not work with SSH.
Let’s try root:
DEFINE (‘DB_USER’, ‘root’);
DEFINE (‘DB_PASSWORD’, ‘root@ISIntS’);