VULNOS 2
- Layout for this exercise:
1 - INTRODUCTION
- The purpose of this exercise is to get a remote root shell and the flag.txt at the vulnerable machine VulnOS 2.
- The vulnerable machine VulnOS2 can be downloaded from here:
https://www.vulnhub.com/entry/vulnos-2,147/
- Once extracted and downloaded VulnOS 2 with VirtualBox:
2 - ENUMERATION
- Discovering the IP 192.168.1.10 with netdiscover:
- Scanning all ports with Nmap:
- Browsing the web server:
- Viewing the source of the Documentation tab there is a self explanatory line:
- Going to the folder /jabcd0cs we find that OpenDocMan v1.2.7 is used:
3 - EXPLOITATION
- OpenDocMan v1.2.7 is vulnerable to this exploit:
- Searching for the exploit at Kali:
- Reading the text file 32075.txt there are some advisory details:
- Inserting the example above into an Sqlmap command and adapting to our needs we are able to find 6 databases:
- Dumping all content for database jabcd0cs we find a couple of username/password MD5 hashes:
- Decrypting:
https://www.md5online.org/
- By the way, at the bottom of the web home page we can read this, what it is obviously a hint for the password webmin1980:
- Connecting with SSH and credentials webmin:webmin1980 a low privilege shell is achieved:
4 - PRIVILEGE ESCALATION
- Improving the shell:
- Checking Linux distro (Ubuntu 14.04) and kernel (3.13):
- Ubuntu 14.04 and kernel 3.13 are vulnerable to a Local Privilege Escalation exploit:
https://www.exploit-db.com/exploits/37292/
- Searching for the exploit at Kali:
- Setting a Simple HTTP Server at port 8000:
- From VulnOS 2, downloading the exploit to folder /tmp:
- Compiling 37292.c:
- Running the exploit 37292 finally we get a remote root shell from VulnOS 2:
5 - CAPTURING THE FLAG
- Last step is just reading the flag.txt:
