Friday, 3 June 2016

VulnOS v2 challenge

Hello all,
Today I would like to present VulnOS challenge walkthrough. I hope that all what will be done is clear for you :-)
So, let's get started.

OK, so our target is (our target is set up as a host-only in Virtual Box).

Good, now we can see 22 (SSH), 80 (Web application) and 6667 (IRC) ports. I prefer begin from Web Application as always.

OK, so we can see link website. I think that good idea will be run drib at the meantime.
Dirb result:

As we see, we have got nothing interesting. Se let's investigate the web app further. Clicking on the link we have got screen as below.
Nothing special. In the Documentation is something strange.


Let's check the /jabcd0cs/.

Wow! We can log in as a guest with guest:guest credentials. I have checked in the source code that we have pleasure with 1.2.7 opendocman. I had performed research and I have found exploit (CVE: 2014-1945).Unfortunately Improper Access Control in OpenDocMan doesn't give us fat chance to get limited shell, so let's try SQL Injection vulnerability via sqlmap.
Proof of concept:

OK, we are pretty sure that add_value parameter is vulnerable to SQL Injection and we should go deeper.

Deeper into drupal7 db
We see that password has been 'encrypted' via SHA hash function. We have to crack the password because our target has 22/SSH open port.From jabcd0cs database credentials
I have broken the password for webmin, the password is webmin1980. Let's try log in via SSH.


As far as I know, we should find exploit to privilege escalation without any problem (CVE: 2015-8660).

Game over!