Tuesday, 9 August 2016

pWnOS 1

"It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t. :) Currently, the virtual machine NIC is configured in bridged networking, so it will obtain a normal IP address on the network you are connected to. You can easily change this to NAT or Host Only if you desire. A quick ping sweep will show the IP address of the virtual machine."


Good, let's start from 80 HTTP and then 10000 HTTP.
Default web page looks as below

OK, so let's click on Next button.

Hmmm, I don't know what is it, but it is some kind of help page. Let's run DirBuster.

I was trying log in to the phpmyadmin panel using default credentials but without success.
Let's try do something with 10000 http.

I was trying also log in using default credentials - without success as well. We know that Webmin has assigned several known exploits, so let's try use some of it.
BINGO! I have found CVE 2017.

There is now ass lines of /etc/passwd file. Let's try display /etc/shadow file.

Awesome! We can run John the Ripper now! Unfortunately it consumes a lot of time - too lot for me.
I haven't idea, so I decided to perform some research about version of OpenSSH and I saw (unfortunately part of other solution) that it is vulnerable to CVE 2008-0166.

Great! So, we have to find some way to escalate our privileges. I have found effective exlpoit and...

Game over!

Second attack scenario.
We can also get limited shell via Samba. So, we have to read /etc/samba/passdb.tdb and decrypt password for vmware username. After that we will 
be able to crack the password (we will get h4ckm3). So, now we can log in to the //UBUNTUVM/home directory using samba and get from home directory SSH public key.