[Learning] pWnOS v1

Links:

watch the HD video online: http://vimeo.com/30946182


Description:
 "pWnOS focuses more on exploitation. All of the exploits are found from milw0rm.com so you won't have to scour the Internet for some obscure exploit. There are a couple different paths to root...so if you get one you can keep working to figure out the other."
                                                                                                                                                  -- bond00

Attacker:
Backtrack 5 R2 [VM]
IP: 192.168.1.108

Victim:
pWnOS v1 [VM]
IP: 192.168.1.110


Vulnerability & Exploit:
1, Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit
2, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
3, Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit

Attacking process:
1, discover the vulnerable services:use NMAP to probe the opening ports and services

nmap -sS -sV -O -A 192.168.1.110 -v

found the following services:

[1] webmin httpd       open on port 10000

[2] Debian openSSH     open on port 22

2, exploit vulnerable services:
[1] exploit webmin service to get password file "/etc/shadow", then found the users:

vmware

obama

osama

yomama

[2] exploit webmin service to get openSSH key files default path: "/home/$USER/.ssh/authorized_keys" (replace $USER with vmware, obama, osama and yomama)
[3] exploit Debian OpenSSH service to get into the victime server
[4] use vmsplice Local Root Exploit to get the root priviledge

Reference:

[1] pWnOS download link (http://0dayclub.com/files/pWnOS%20v1.0.zip)
[2] g0tmi1k's Blog (http://g0tmi1k.blogspot.com/2010/04/video-pwnos.html)
[3] pWnOS forum (http://forums.heorot.net/viewforum.php?f=21)