Whitelist: VulnOS 1

VULNOS 1

- Layout for this exercise:

1 - INTRODUCTION

- The purpose of this exercise is the study of the hacking process for the vulnerable machine VulnOS 1.

- VulnOS 1 can be downloaded from here:

https://www.vulnhub.com/entry/vulnos-1,60/

- Once VulnOS 1 downloaded and extracted with VirtualBox:

- In this vulnerable machine it happens that the number of potential vulnerabilities is very large, because there are many open ports and the corresponding associated services running.

- According to the author's suggestion all the vulnerabilities should be found.

- However, in this exercise we have limited ourselves to the search of a root shell and eventually the capture of the flag, just by exploiting the mininum amount of essential vulnerabilities to achieve our goal.

2 - ENUMERATION

- Discovering the IP with netdiscover, we learn that VulnOS 1 is assigned with 192.168.1.11:

- Scanning with Nmap the great amount of services running:

- Browsing the web:

- dirb helps to discover some of the available folders:

3 - PHPMYADMIN

- Let's go first with phpmyadmin, which default login is root plus blank password.

- However these credentials don't work in our case, probably because of the configuration:

- Using Medusa to find a valid password for username root:

- Medusa discovers root:toor, let's check whether it is correct:

- Yes, Medusa was right:

- Now, the first thing to notice is the great amount of available databases, each one with its corresponding list of usernames and password hashes.

- Let's go with the main databases one bye one.

- dolibarr:

- drupal6:

- dvwa (interesting):

- mysql:

- nowasp:

- weberp:

- CrackStation helps to decrypt most of the hashes:

https://crackstation.net/

- Gathering all these credentials we create two text files:

users.txt: containing all the usernames and logins
passwords.txt: containing all the decrypted passwords

4 - EXPLOITING WEBADMIN

- Now, let's focus our attention on port 10000:

- MiniServ 0.01 has got some exploits associated, for instance this Perl script that allows File Disclosure:

- Locating exploit 2017 at Kali:

- As expected, it is an executable Perl script:

- Opening the script there is an usage example line:

- Also, running the script without arguments we can learn how to use it:

- For instance let's use the script 2017.pl to read remotely /etc/sudoers available at VulnOS 1:

- Later (point 6.2 of this exercise) this Perl script will be used for achieving essential information about passwords for relevant users.

5 - EXPLOITING DVWA

- DVWA is the well-known Damn Vulnerable Web Application, basically a web application that is vulnerable on purpose:

http://www.dvwa.co.uk/

- The fact that DVWA is present at VulnOS 1 is an unvaluable gift, because it provides us with a lot of potential ways for exploitating the vulnerable machine.

- As seen before the valid credentials for DVWA are admin:password:

- Some of the recently released versions of DVWA are 1.9, 1.0.8, 1.0.7, etc ...

- Trying all of them, finally we have access to the DVWA web server:

- Let's notice that the default Security Level is set to high:

- Levering down to low:

- Taking advantage of the Command Execution vulnerability let's try to submit this PHP script:

- Before that, don't forget to set a Netcat listener at port 4444:

- Now, submitting the script:

- As a consequence a low privilege shell is succesfully achieved:

- Improving the shell:

6 - PRIVILEGE ESCALATION

6.1 - HTPASSWD

- htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users.

- Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by htpasswd.

- htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's crypt() routine.

https://httpd.apache.org/docs/2.4/programs/htpasswd.html

- Let's try to find any htpasswd file across Vulnos 1:

- Reading the file:

- Also, looking for htpasswd.users:

- John The Ripper helps to decrypt the second password:

- However this path does not lead us to anything, let's try another way.

6.2 - vulnosadmin

- Let's focus our attention on the interesting user vulnosadmin:

- Going to his home directory we find that vulnosadmin has been a successful sudoer in the past:

- Now, taking advantage of the webmin exploit at port 10000 used at point 4 of this exercise, we can get both /etc/passwd and /etc/shadow for vulnosadmin:

- Copying output to files a and b:

- Preparing the password hahes with unshadow command:

- Applying John The Ripper over file u:

- Finally we have been able to decrypt vulnosadmin user's password.

6.3 - SSH

- Using our lists from point 3 users.txt and passwords.txt (where canuhackme has been added) Medusa finds the right credentials for SSH remote shell connection: