Vulnhub virtual machine; OSCP prep box, classic boot the root box which enumeration leads to a blog page that is suseptiable to pretty serious vulnerability that leads to the foothold of the box. Priv-esc was trickery as in the end the simplest solutions are the hardest to figure out - added secondary priv-esc.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Vulnhub Link: https://www.vulnhub.com/entry/pwnos-20-pre-release,34/ File: pWnOS_v2.0.7z (Size: 286 MB) - Filetype: .vmdk (virtual hard drive)
Setup Note: make sure you put VM 10.10.10.0/24 network.
Discover VM on network && ping for connectivity:
Target: 10.10.10.100 - and we have successful connectivity
We are looking at an SSH server and an HTTP server.
Options: -We can try to kick in the front door of the SSH - unlikely -Navigate to web-server and investigate a way in.
Navigate to web-server:
potential login and register page and discovered a possible user
attempt SQLi with email and
' or 3=3 --
No-go for injection.
Register New User: Creating a user: [email protected] / password
Looks like we have to activate the user account.
activated now lets attempt to login and look for a way into the box.
seems to hang at this point…
confirmed we did not hang and we are just on an very non-interesting page.
Dirbuster - we need to find some new directories.
well we found a
web-application identified as Simple PHP Blog 0.4.0
Searching for vulnerabilites
both exploits jump off the page. Download locally with
checking out the
syntax we should attempt which should return the password file (hash):
it successfully gave us the password hash. Lets see what else this exploit can do.
we have a successful cmd.php installed on web-server.
we get a response of
www-data - Execllent.
Reverse the shell:
Setup listener with Metasploit.
tell web-server to get my reverse shell .php file.
successful download. Now lets connect to the server.
now let’s move to priv-escalate.
First we need to enumerate a bit of the box with some scripts.
wget files to box
uploaded successfully to
Change chmod to 700
Scripts discovered a few priv-esc exploits
mysqli_connect.php which contains database creditials
/var an noticed another
Connecto to mysql server:
check for passwords:
found hashes to decrypt
I wanted to attempt to try the “udav” and MySQL privilage escalations and while going doing the udav road I was unsuccessful escalating. When it came to the MySQL escalate I ran into a some slight issues compiling but was able to create the file locally and then send to box. Below you will see my solution via MySQL.
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
I downloaded locally and began inspecting the source:
while attempting to compile the raptor_udfs.so it would not compile on the box as so I compiled it locally and sent to box.
after compiled locally and sent:
login to MySQL server with prior credentials
recieved an error that the
raptor_udf2.so did not exist in the
/usr/lib/raptor_udf2.so so at this point I manually pushed the file to the directory.
under mysql table:
we have succefully aded www-data to the
/etc/sudoer file which we can just
sudo bash to achieve a root shell.
The likelyhood of passwords being reused is always an options - attempt ssh to root
with the two variant of passwords is always worth a shot
Bring me the root!