Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

VulnOSv2

This is another boot2root from my OSCP list hosted by vulnhub.com and TryHackMe.com.
The challenge is as follows: “Your assignment is to pentest a company website, get root of the system and read the final flag”
So let’s get cracking.

Converting

This VM was created in Virtualbox and exported as .vdi
I use VMware and VMware doesn’t play with vdi. So what to do besides installing Virtualbox?

Here is how:

First I download a program called qemu-img

Then I download the VM from vulnhub.com and extract the 7z file.

When that is done, run the following command to convert the vdi file to an vmdk file

And there you have it. Now you can create a new VM in VMware and replace the HDD with this vmdk.

Ok now that this VM runs in VMware I can start.

Recon

Starting with a nmap scan.

Nmap found the following ports/services:

  • SSH server running on port 22, version 6.6.1p1
  • Apache HTTP server, version 2.4.7
  • IRC server

Nmap also thinks it runs on Ubuntu.

SSH ~ first try

There are newer versions, but this one doesn’t look like it’s vulnerable.

Also there is no banner, which sometimes give useful information.

HTTP

When browsing to the IP address there is the same information as was in the description on vulnhub.com
There is also a link to the main webpage of the mentioned company.

At the bottom of the page there is a footer: 2019 © Vulnerable since 1980
That’s a nice statement and also it let me to believe the IRC server is the real culprit here…..but first things first.
Also the favicon is that of drupal. Maybe there is a login page and it’s more then just a static site.

On the Documentation there is a nifty piece of security.

Looks like there is nothing…..but then

Like I said….nifty security. Of course this text is visible in the source code, but this was more fun to show.
So let’s take a look at /jabcd0cs/

When visiting this page I get a login section and a software name + version: OpenDocMan v1.2.7

The vulnerabilities are:

  • SQL Injection
  • Improper Access Control

I try the SQL injection first. The vulnerability exists in the improper validation of the add_value parameter

With Burp I captured the HTTP header so I can run it through SQLmap.

When injecting the URL parameter I can retrieve the current user on which this program runs.

With other words, this software runs as root on the local system. Never a good idea, because when you can compromise the program, you compromise the system immediately on root level.
For now I would like to get the username/password table. For this task I use sqlmap

After it ran I found the usernames from database jabcd0cs

The passwords were stored as hashes and only 2 were known for their plaintext strings.

There is a nice python script, which can be found on github, that can help you when you’re stuck with a hash.

And there is the joke of the footer found earlier.

SSH ~ second try

Now for some system recon.

In the users home folder there is a tarball. To get it onto my system I run a python http server (as python is installed on this system).
And collect the file by curling it and piping it straight to tar to extract the content.

It looks like the files needed to run hydra. Not very useful at the moment.
To do a faster scan of the system I use a recon bash script called LinEnum.

Looks like an old kernel which probably has some vulnerabilities.

Because of the kernel and the OS being Ubuntu there is a good change the exploit is the overlayfs exploit.
To exploit it I copy 37292.c to the remote system and compile it.

After compiling and running the program I got my privileges escalated to root. Now for the flag.

Conclusion

This was a fun challenge to try.
I don’t have more challenges of the vulnOS series in my list. But I think I’ll definitely give another one a shot.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.