Penetration testing

Solving the VulnOS 2 Lab

Nikos Danopoulos
September 12, 2016 by
Nikos Danopoulos

Introduction

Solving laboratories is one of the best hacking practices. In a virtual machine, under a controlled environment, Penetration Testers and Security Researches can exercise their skills legally. Thanks to Vulnerable By Design ~ VulnHub, we can access an immense list of Vulnerable laboratories. One of the "must-be-solved" exercises is the VulnOS: 2 designed by c4b3rw0lf.

The scenario is very simple: perform a penetration test on a company's website, get root access and read the flag!

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Scanning and Exploitation

For this Lab, I have set my Network Settings to "Host Only" Adapter. The virtual machine's IPv4 address is 192.168.56.104.

So, let's initiate a port scan with Nmap. I used the following command which will perform a TCP SYN scan at the default ports and at the same time, it will find out the services running on its port.

From the output, we can see that the host is running three services, SSH, HTTP and IRC at ports 22, 80 and 6667.

By requesting the Web Server's page, we can see something like this.

The company website is located under 192.168.56.105/jabc/

What I did first was to run Dirbuster against the webpage, but no special results appeared. A further investigation to the company's website revealed a hidden text saying:

"Dear customer,

For security reasons, this section is hidden.

For a detailed view and documentation of our products, please visit our documentation platform at /jabcd0cs/ on the server. Just login with guest/guest

Thank you."

By acting as mentioned, I ended up on a page which looks like this.

On the bottom left corner, we can see that the document manager used the OpenDocMan of version: 1.2.7. By searching for vulnerabilities that apply to this version, I found out this one: OpenDocMan 1.2.7 - Multiple Vulnerabilities. Of course, the most interesting is the first one, the SQL Injection.

By using Sqlmap, I managed to retrieve the available databases.

$ sqlmap -u "192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value --dbs

And the result:

The "jadc0ds" is the Database we want. I used the following command to list the Tables available:

$
sqlmap -u "192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value -D jabcd0cs --tables

The most interesting Table is the "odm_user". With the following command, we will list its columns.

$ sqlmap -u "192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value -D jabcd0cs -T odm_user --columns

Finally, we can run:

$ sqlmap -u "192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value -D jabcd0cs -T odm_user -C username,password --dump

Which will give this output:

username

password

webmin

b78aae356709f8c31118ea613980954b

guest

084e0343a0486ff05530df6c705c8bb4 (guest)

We already know that the password for the guest account. I used Hashkiller - MD5 Decrypter to find out the plaintext password of the Webmin user. The result:

b78aae356709f8c31118ea613980954b MD5 : webmin1980

At this point, we can recall that previously we found an SSH Service running on the vulnerable server. Let's see if the Webmin username and password credentials will work there.

$ ssh webmin@192.168.56.104

By using webmin1980 as password, we can successfully get a shell on the host machine.

For our own help, let's use Python to access a pseudo-terminal. I used the following command:

$ python -c "import pty; pty.spawn('/bin/bash')"

You can learn more about the pty library here.

Privilege Escalation

Now that we have successfully accessed the machine let's see how we can perform privilege escalation to access the root account. The current user has no special rights.

I have covered the privilege escalation phase for this machine again at the "Privilege Escalation With Live Examples" article, but I will also go through it now.

What I did first was to see the system information such as the kernel version. I did this with:

$ uname -a

Moreover, I also checked the distribution information with:

$ lsb_release -a

One of the most popular Linux exploits for Privilege Escalation is the 'overlayfs' Privilege Escalation. We choose the one which matches our Linux Kernel version, and we attempt to run it against the vulnerable machine.

To do this, I used GCC. As we are not allowed to write files to the current directory, I moved to the /tmp directory to paste into a file the exploit.

$ cd /tmp

What I did next was to create a new file called "exploit.c" and with VIM, I pasted the code of the overlayfs exploit. Then, I used GCC to compile the code.

$ touch exploit.c

$ vim exploit.c

$ gcc exploit.c -o exploit

$ ./exploit

After the exploit execution, I was able to see something like this.

Finally, the Flag was located under /root/flag.txt !

Wow, we have successfully found the flag!

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Thank you for your time, I hope you enjoyed reading this article and solving the Laboratory as much as I did!

Nikos Danopoulos
Nikos Danopoulos

Nikos Danopoulos has worked as Junior IT Security Researcher at eLearnSecurity. Moreover he was contributed on several projects such as: HACKADEMIC - OWASP, Hack.me and more. You can contact him at danopoulosnikos@gmail.com or you can find him on Twitter: @nikosdanopoulos.