Open in app

Sign in

Write

Sign in

VulnHub — PwnOS:2.0

Raj Singh
2 min readOct 4, 2019

pWnOS: 2.0 (Pre-Release)

pWnOS: 2.0 (Pre-Release), made by pWnOS. Download & walkthrough links are available.

www.vulnhub.com

Nmap

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
| 2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_ 256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
| http-cookie-flags: 
| /: 
| PHPSESSID: 
|_ httponly flag not set
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
MAC Address: 08:00:27:C7:DD:12 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.32–2.6.39
Uptime guess: 497.100 days (since Fri May 25 06:00:33 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT ADDRESS
1 0.32 ms 10.10.10.100

Here we got http and when we visit we found a welcome page , so let’s start enumerating with dirsearch

We found /blog directory and when we start recursive brute-forcing on /blog directory we got to see something useful at /blog/docs where we found the version of simple php blog is 0.4.0

And got the exploit of simple php blog 0.4.0 at exploit-db “https://www.exploit-db.com/exploits/1191” here it’s a perl script which is having multiple vulnerability exploits in it.

So we used the exploit as

perl 1191.pl -h http://10.10.10.100/blog -U raj -P rajhere it's creating a new login user and at MENU option we found upload image option where we are going to upload a reverse php shell.

This will create a new login user at blog directory where we found a image upload after logging in , so we uploaded our php reverse shell then got the reverse shell at our nc of WWW-DATA user from calling the reverse shell php file from uploads directory

POST ENUMERATION

Found /var/mysqli_connect.php file which is having password for mysql root user , and when we try to connect with ssh with the same password we got form mysqli file we got the access of root with ssh…..

>>>>>>>>>>>>>>>COWABUNGA<<<<<<<<<<<<<<<

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Linux
Vulnhub
Pwnos2
Raj Singh

Raj Singh
Raj Singh

Written by Raj Singh

54 Followers
9 Following

Security Researcher, Product Security Engineer

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams