Overview
VulnOS2 is boot2root virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.
Lab Setup:
- VMWare workstation for Virtual Machines
- Kali Linux VM in Bridge mode
- VulnOS2 in Bridge mode
Tools Used:
- Kali Linux VM
- netdiscover
- nmap
Vulnerabilities Exploited:
Reconnaissance
#netdiscover
Target VM IP Address: 192.168.8.105
Scanning
nmap
Nmap findings:
- Target Box is Linux 3.X/4.X
- Secure Shell OpenSSH 6.6.1p1 is running on port 22
- Apache 2.4.7 is running on port 80
- Port 6667 is open, possible irc but no confirmation
Exploit path 1 for shell:
Website main page lead to page http://192.168.8.105/jabc/ and documentation link leads to /jabcd0cs/
http://192.168.8.105/jabcd0cs host OpenDocMan v1.2.7
“OpenDocMan v1.2.7” has several vulnerabilities including sql injection. An unauthenticated hacker can execute SQL queries of vulnerable server. Here is link to exploit.
I exploited sql injection with hackbar. Enumerated databases “jabcd0cs”, table “odm_user”, column “username”:”password”.
Dumping username:passwords
And found plain text password as webmin1980
Lets reuse webmin password over ssh. And guess what, we are in using webmin credentials.
breaking jail with python.
python -c “import pty; pty.spawn(‘/bin/bash’);”
Priv Escalation
# uname -a
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux
Quick google search for “3.13.0 privilege escalation exploit” lead to overlayfs local privilege escalation exploit. This link to exploit
https://www.exploit-db.com/exploits/37292/
Congrats! We are root.
Conclusion:
This is great Boot2Root VM. Rooting this VM i learned and enjoyed a lot.
Zeeshan Sahi's blog 