Wednesday, 10 August 2016

pWnOS v2

The second version (and the latest) of pWnOS challenges.

22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
|   2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_  256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
OK, as always let's try from web application.

OK, maybe let's try register us to the web application. DirBuster found also blog directory

Good, in the source code I have discovered that this is Simple PHP Blog 0.4.0  As far as I know, we can find effective exploit.
I have use exploit and I have change credentials for known for me to blog and I have logged in. So, I have uploaded PHP backdoor and execute it from images directory.
When I have got limited shell I found mysql connect PHP file, which contains valid credentials for root database. I have reused these credentials and I have got a root system.

Game over!