Tuesday, September 11, 2018

VulnOS 2


VULNOS 2

- Layout for this exercise:



1 - INTRODUCTION

- The purpose of this exercise is to get a remote root shell and the flag.txt at the vulnerable machine VulnOS 2.

- The vulnerable machine VulnOS2 can be downloaded from here:

https://www.vulnhub.com/entry/vulnos-2,147/


- Once extracted and downloaded VulnOS 2 with VirtualBox:




2 - ENUMERATION

- Discovering the IP 192.168.1.10 with netdiscover:






- Scanning all ports with Nmap:




- Browsing the web server:











- Viewing the source of the Documentation tab there is a self explanatory line:




- Going to the folder /jabcd0cs we find that OpenDocMan v1.2.7 is used:





3 - EXPLOITATION

- OpenDocMan v1.2.7 is vulnerable to this exploit:




- Searching for the exploit at Kali:








- Reading the text file 32075.txt there are some advisory details:






- Inserting the example above into an Sqlmap command and adapting to our needs we are able to find 6 databases:






- Dumping all content for database jabcd0cs we find a couple of username/password MD5 hashes:






- Decrypting:


https://www.md5online.org/





- By the way, at the bottom of the web home page we can read this, what it is obviously a hint for the password webmin1980:




- Connecting with SSH and credentials webmin:webmin1980 a low privilege shell is achieved:




4 - PRIVILEGE ESCALATION

- Improving the shell:



- Checking Linux distro (Ubuntu 14.04) and kernel (3.13):





- Ubuntu 14.04 and kernel 3.13 are vulnerable to a Local Privilege Escalation exploit:

https://www.exploit-db.com/exploits/37292/




- Searching for the exploit at Kali:




 






- Setting a Simple HTTP Server at port 8000:



- From VulnOS 2, downloading the exploit to folder /tmp:



- Compiling 37292.c:





- Running the exploit 37292 f
inally we get a remote root shell from VulnOS 2:





5 - CAPTURING THE FLAG 

- Last step is just reading the flag.txt: