VulnOS2 is boot2root virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.
- VMWare workstation for Virtual Machines
- Kali Linux VM in Bridge mode
- VulnOS2 in Bridge mode
- Kali Linux VM
Target VM IP Address: 192.168.8.105
- Target Box is Linux 3.X/4.X
- Secure Shell OpenSSH 6.6.1p1 is running on port 22
- Apache 2.4.7 is running on port 80
- Port 6667 is open, possible irc but no confirmation
Exploit path 1 for shell:
Website main page lead to page http://192.168.8.105/jabc/ and documentation link leads to /jabcd0cs/
http://192.168.8.105/jabcd0cs host OpenDocMan v1.2.7
“OpenDocMan v1.2.7” has several vulnerabilities including sql injection. An unauthenticated hacker can execute SQL queries of vulnerable server. Here is link to exploit.
I exploited sql injection with hackbar. Enumerated databases “jabcd0cs”, table “odm_user”, column “username”:”password”.
And found plain text password as webmin1980
Lets reuse webmin password over ssh. And guess what, we are in using webmin credentials.
breaking jail with python.
python -c “import pty; pty.spawn(‘/bin/bash’);”
# uname -a
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux
Quick google search for “3.13.0 privilege escalation exploit” lead to overlayfs local privilege escalation exploit. This link to exploit
Congrats! We are root.
This is great Boot2Root VM. Rooting this VM i learned and enjoyed a lot.