Rooting VulnOS 2 walkthrough

Overview

VulnOS2 is boot2root virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • VulnOS2 in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap

Vulnerabilities Exploited:

Reconnaissance

#netdiscover

Target VM IP Address: 192.168.8.105

Scanning

nmap

Nmap findings:

  • Target Box is Linux 3.X/4.X
  • Secure Shell OpenSSH 6.6.1p1 is running on port 22
  • Apache 2.4.7 is running on port 80
  • Port 6667 is open, possible irc but no confirmation

Exploit path 1 for shell:

Website main page lead to page http://192.168.8.105/jabc/ and documentation link leads to /jabcd0cs/

http://192.168.8.105/jabcd0cs host OpenDocMan v1.2.7

“OpenDocMan v1.2.7” has several vulnerabilities including sql injection. An unauthenticated hacker can execute SQL queries of vulnerable server. Here is link to exploit.

I exploited sql injection with hackbar. Enumerated databases “jabcd0cs”, table “odm_user”, column “username”:”password”.

Dumping username:passwords

And found plain text password as webmin1980

Lets reuse webmin password over ssh. And guess what, we are in using webmin credentials.

breaking jail with python.

python -c “import pty; pty.spawn(‘/bin/bash’);”

Priv Escalation

# uname -a

Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux

Quick google search for “3.13.0 privilege escalation exploit” lead to overlayfs local privilege escalation exploit. This link to exploit

https://www.exploit-db.com/exploits/37292/

Congrats! We are root.

Conclusion:

This is great Boot2Root VM. Rooting this VM i learned and enjoyed a lot.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s