The second version (and the latest) of pWnOS challenges.
Scanning
PORT STATE SERVICE VERSIONOK, as always let's try from web application.
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
| 2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_ 256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
OK, maybe let's try register us to the web application. DirBuster found also blog directory
Good, in the source code I have discovered that this is Simple PHP Blog 0.4.0 As far as I know, we can find effective exploit.
I have use exploit and I have change credentials for known for me to blog and I have logged in. So, I have uploaded PHP backdoor and execute it from images directory.
When I have got limited shell I found mysql connect PHP file, which contains valid credentials for root database. I have reused these credentials and I have got a root system.
Game over!
