Hack the pWnOS-1.0 (Boot To Root)
Hey folks, Ashish this side. Today we are going to solve another CTF challenge “pWnOS-1.0” of the vulnhub labs. The level of this challenge is not so tough and its difficulty level is described as beginner/intermediate. You can download it from here https://www.vulnhub.com/entry/pwnos-10,33/
Our goal is to gain root access to the machine.
*Vulnerabilities:
- Arbitrary File Disclosure: Basically, the arbitrary file is a file that allows you to modify everything on a system.
- Privilege Escalation: Privilege escalation is the act of exploiting a bug, in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
- Weak Credentials: (weak password) is something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords.
*Penetration Methodologies:
- Network Scanning (Nmap)
- Exploiting web application (Metasploit)
- Extracting arbitrary file
- Cracking password hashes (John the ripper)
- Spawning TTY shell (via SSH login)
- Kernel Privilege Escalation
Let’s get started!
We will perform a local scan to discover machines on our local network
arp-scan -l
The ip of the target machine = 192.168.95.130
Let’s enumerate the open ports to discover services, so we run nmap on the target machine
nmap -A 192.168.95.130
From the result, we can see that the machine has port 22 (ssh), port 80 (http), and port 10000 (Webmin) open.
Now, we will check in Metasploit for the available Webmin exploit.
An exploit is found. We will use it to get it /etc/passwd/ and /etc/shadow/ files from target machine.
use auxiliary/admin/webmin/file_disclosure
msf auxiliary(file_disclosure) > set rhost 192.168.95.130
msf auxiliary(file_disclosure) > exploit
As you can observe we have fetched the available username of the victim’s system.
msf auxiliary(file_disclosure) > set rpath /etc/shadow
msf auxiliary(file_disclosure) > exploit
As you can observe we have also fetched a shadow file of the victim’s system which holds password hashes.
Now, we will merge passwd.txt and shadow.txt into a format that JohnTheRipper can understand.
Let’s crack the password hash present in the hash.txt file using John.
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
The password for vmware user has been cracked. we will use it to ssh into the machine.
ssh -oHostKeyAlgorithms=+ssh-dss vmware@192.168.95.130password - h4ckm3
Now we are in the machine and will perform privilege escalation to gain root access.
The following exploit will be used to gain root access
https://www.exploit-db.com/exploits/5092
Download the exploit and send it over to the target machine.
Compiling the code and running
gcc 5092.c -o exploit
./exploit
Booommm! Here we have Root access.
If you got root and this blog was helpful consider following me and a clap would really motivate me to write more such blogs.
Now you know what to do, try it yourself and let me know whether you pwned the system or not.
Keep Coming for more.
Happy Hacking!!!