Vulnhub.com : VulnOS: 2 Walkthrough

9 min readOct 2, 2019

This is my write-up for VulnOs:2 at Vulnhub.com.

About vulnhub.com

Vulnhub is a community driven website which provides access to sparring environments for aspiring or seasoned security professionals. They have a huge collection of virtual machines and networks which can be downloaded to work on your offensive or defensive CyberSec skills.

About VulnOS:2 (Description from the site)

Link to VulnOS:2

VulnOS are a series of vulnerable operating systems packed as virtual images to enhance penetration testing skills

This is version 2 -

Smaller, less chaotic !

As time is not always on my side, It took a long time to create another VulnOS. But I like creating them. The image is build with VBOX. Unpack the file and add it to your virtualisation software.

Your assignment is to pentest a company website, get root of the system and read the final flag

NOTE : current keyboard preferences is BE “pentesting is a wide concept”

If you have questions, feel free to contact me on m4db33f@gmail dot com Shout out to the Vulnhub Testing team!

Hope you enjoy.

c4b3rw0lf is the author of this VM. He can be followed on twitter here.

About: This Write-up

This walk-through provides mostly the success path that I had taken to complete this VM. It does not include the many, many failure paths which lead me to frustrating dead-ends. It also does not include alternate ways to complete, which I am sure there are many.

Recommendation:

If you are starting out on your path to CyberSec learning, do not use this write-up to cheat yourself off the invaluable exercise and skills of trying to find the solution on your own. Attempt the box on your on to start with. If you get stuck at any stage for more than a couple of hours (or days), do refer this guide just enough to get you through the section you are stuck at.

Disclaimer:

All information, techniques and tools described in this write-up are for educational purposes only. Use anything in this write-up at your own discretion, I cannot be held responsible for any damages caused to any systems or yourselves legally. Usage of all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. It is your responsibility to obey all applicable local, state and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using information herein.

My Lab Setup

I am running a Windows OS with Oracle Virtualbox installed. For this specific exercise, I have 2 virtual machines. The first is a Kali linux VM allocated with 4gb of RAM, 3vcpu and a 25gb hdd. The second is the virtual machine for VulnOS:2 . I am using the default resource allocation defined in the ova (which is 1vcpu and 768MB of RAM. I have created a host-only network with DHCP enabled attached to these VMs. I have further configured a firewall rule on my host machine’s to disallow any inbound or outbound traffic from this network. This is done to eliminate any noise from my host, and also to protect my host machine from the activities on these VMs. Begin by booting up both VMs.

For the sake of simplicity, from now on, I will be addressing the VulnOS:2 VM as the ‘target’.

Ground Rules

For the purposes of simulating a real-world scenario, the VulnOs : 2 VM will not be accessed directly via it’s VM console, nor would it’s operation be interrupted using virtualbox VM controls. The only way to access it, will be from the attack platform, which in my case is the Kali Linux VM.

Reconnaissance

Network & Host
To begin with, I need to find the target’s ip address. The kali VM’s ip address is 192.168.56.102. Running an nmap scan on the local subnet shows 4 devices on the network including the kali VM. 192.168.56.1 is the host machine & 192.168.56.100 is the virtualbox dhcp server. The final ip address 192.168.56.101, belongs to our target. The nmap scan also shows 3 open ports, 22 for ssh, 80 for http & 6667 for irc (or possibly any one of a huge list of threats). We see that all 3 ports are open and the target is possibly hosting a website/service.

Website
To check the website hosted on the target, I fire up a browser and enter http:// followed by the ip address of the target and hit go. We are greeting with a static website with instructions to “pentest the company website” which seems to be hosted on the same server and to “Get root of the system and read the final flag”. A link to this website is also provided. On checking the source for this page, nothing of value was found.

Clicking on the website link, we reach a website which looks like a company website as per instruction.

I navigate through the 3 other menus, while also checking the source to find any hidden links or clues. The ‘About’ page seems to have stuff written in latin. I didn’t bother to translate it.
The ‘JABS’ page seems to be an online store to purchase their ‘finest AI models’ each named after characters from the anime/manga series ‘Ghost in the Shell’. I could add these models into a cart, which is ‘hidden’.

The ‘Documentation’ page seemed empty, but has a hidden message stating that the section is hidden for ‘security reasons’ and in order to view the product documentations, go to /jabcd0cs/ .

On navigating to the new url, we reach the login page of an open source document management system (DMS) named OpenDocMan.

I try to login using the guest/guest credentials as per instructions received earlier. I login successfully and see a list of documents. I check out each of the documents and find nothing of relevance, except that there exists another user registered in the DMS named min,web who is described as ‘laughing man’.

I navigate through all available linked within the webapp. I try uploading a file, checking it out, checking it back in and then deleted it. I try creating a new user account and login with the new account and do all of the above, in search for a clue. I found a profile page section for the user, where it would be possible to update the name, email, password, etc. One of the form fields include a check-box to mark if the user was an Admin or not. This was disabled though. I tried editing the html form element in developer mode to enable the check-box, checked it and tried to submit.

Well, that didn’t work and I got redirected to an error page. I retried this using burp suite, replacing other parameters, all of which redirected me back the error response.

I checked through the sources of each of the page for the webapp, and found nothing of value. I decided to search for a vulnerability/exploit based on OpenDocMan,version 1.2.7. I found this entry at exploit-db.com (a great place to search for exploits/vulnerabilities). The entry details multiple vulnerabilities for the version including SQL injection vulnerability and another vulnerability, where it would be possible to gain administrative access to the application at the point of sign-up.

I tried the url within the entry on the browser and it worked.

SQL Injection & Enumeration

Since SQL injection would work, I decided to use sqlmap to enumerate the database. To get a list of databases within this instance, I ran sqlmap with the url I tested earlier as the parameter for the url (-u), ‘add_value’ as the test parameter (-p), ‘- -dbs’ switch to enumerate the databases and ‘mysql’ as the parameter for the ‘- -dbms’ switch (For some reason, without the dbms switch set for the first time, sqlmap fails to run).

On completion, we get a list of databases that could be found on this instance. One of them is ‘jabcd0cs’.

With this, I reran sqlmap tools as before, this time to dump the entire database using the - -dump switch and specifying the database to dump using -D switch with jabcd0cs as the parameter.

The entire database content is dumped and displayed on the screen including the table odm_users which contains the list of users with username and password hashes (md5).

With this, I have identified that the admin username is webmin and also got the hash of the webmin’s password. The MD5 algorithm isn’t reversible, but there are a lot of tools and services which holds a database of words with associated hashes. I tried one such tool, findmyhash which come native in Kali without success. I tried a couple sites online and was able to get a positive match on md5online.org.

With the username and password, I was able to login to OpenDocMan as the app admin. I wasted a lot of time trying upload a php reverse shell script to gain shell access. I couldn’t find any way to get the php script executed from within the site. Then I remembered that the ssh port was open. I attempted and successfully logged in to target as webmin.

Privilege Escalation

Now that I have shell access, I searched through the filesystem, services and cron jobs to see if there was anything I could use to get root.

There was a gzip archive right in the home directory of webmin. On extraction, I found that it was the package for hydra, which I could compile to maybe use to brute-force the root password. But then again, I could just use hydra from my kali machine. I started a hydra task of trying to brute-force the password for root via ssh on my kali vm (just in case). Besides this, I couldn’t find anything else on the target machine to help me gain root privilege.

I checked the version of the OS and kernel installed on the target. I find that it’s an ubuntu with kernel version 3.13.0.

I checked the exploit database as before for something I could use. I found an exploit which fit the bill. To read more about how this vulnerability, see here.

To use this exploit, I created a c source file on the target, naming it ofs.c .

Once done, I compile the code and create an executable with name ofs. I run the executable and I end up with a # prompt. I check the id, it shows that I am root. I navigate to the root folder where I find the flag. I cat it out to receive a congratulatory greeting from the author of the box.