Writeup VulnOS: 2

Infraestrutura, oscp, Recon, Security, Web 3 Minutes

This post describe the necessary steps to gain root in VulnOS 2 available on Vulnhub (https://www.vulnhub.com/). The goals of this box, according to the autor c4b3rw0lf (https://twitter.com/@c4b3rw0lf), is to get root of the system and read the final flag.

Console screen from VulnOS2

Machine Name: VulnOS: 2
Resource URL: https://www.vulnhub.com/entry/vulnos-2,147/
Release Data: 17 May 2016

VulnoOS 2 Description

Summary

To obtain administrative access in this box, the follow kill chain have been executed.

  • Ports and services enumeration.
  • Recon against web application.
  • SQLi vulnerability in documentation app allowed the attacker to leak database information, including credentials.
  • Access with valid credentials (webmin:webmin1980) using SSH service.
  • Found credential from user vulnosadmin in postgre database.
  • Laterializaton to user vulnosadmin and r00t.blend file.
  • Root Access.

WriteUp

Recon

During the recon step, the attacker are able to enumerate ports and services using nmap port scanner.

Nmap scan against target output

The nmap tool detected 3 ports with the status open, 22/TCP, 80/TCP and 6667/TCP. In order to enumerate the web application located at port 80/TCP, provide by a Apache 2.4.7, the attacker are able to execute a bruteforce attack to identify files and directories in the application.

Nikto scan against the target output

Nikto revealed the directory /jabc in the application and others files related to a web application. The directory http://192.168.1.107/jabc/?q=node/7 has a information of a new directory /jabcd0cs/ and access credential (guest/guest).

New directory and access credential available in the awnser

The webapp found at /jabcd0cs/ is called OpenDocMan. This application has multiples vulnerabilities:

  • SQL Injection in OpenDocMan: CVE-2014-1945
  • Improper Access Control in OpenDocMan: CVE-2014-1946

Exploitation

In the exploitation step, the attacker identified a SQLinjection at the URL: http://192.168.1.107/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version.

Sqlmap enumerating the databases in the target.

The information available in the database, include usernames,passwords and emails, but, the passwords are encrypted.

Encrypted credentials in the column password.

In order to decript the password, the hash has been submited to website CrackStation (https://crackstation.net/) and MD5Decrupt (https://www.md5decrypt.org/). The md5decrypt was able to dedcript the password from user webmin, the password is webmin1980

Clean text password.

The attacker was use the credential from webmin to authenticate with the SSH service.

Access to user webmin uid 1001 through ssh server.

Privilege Escalation Part 1

In order to obtain more privileges in the system, the attacker was run the tool called LinEnum (https://github.com/rebootuser/LinEnum) to gathering information about the target system.

Administrative users in the target system.
Postgres version
Postgres process running in the target system.
Port which postgres is listening

The postgres in target system, is listen at a local interface ( 127.0.0.1), to execute a brute force attack is necessary to pivote the traffic to the target local interface. To accomplished this, the attacker was use the SSH to create a tunnel between the attacker machine and the Postgres service inside the target system.

SSH tunnelng.
The tunnel is connect and the Postgres is available.

The brute force attack identified the password for the user postgres, the password is postgres

Metasploit scanner/postgres/postgres_login module output

The credential from user postgres allowed the attacker to dump the database.

Dumping postgres database

Credential from user vulnosadmin has been found in the postgres dump, the password is in clear text.

Vulnosadmin password

Lateralizating to user vulnosadmin. The file r00t.blend is found in the $HOME directory from user vulnosadmin.

File r00t.blend identified inside the vulnosadmin $home file.

The root password have been found inside the file r00t.blend, hide inside a object.

Root password

With the root password ab12fg//drg, the attacker is able to login into root account.

Attacker got administrative access in the target machine.

Using the root account, the attacker is able to get the flag.

Root reading flag.txt

Privilege Escalation Part 2

The kernel version in the target system is Ubuntu 14.04.4 LTS, this kernel version is vulnerable to the CVE-2015-1328( https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html) . This vulnerability occours in the overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.

Using wget to donwload the exploit and gcc to compile.

When the exploit executes, a root shell spawn in the terminal, allowing the attacker to get administrative acccess.

Conclusion

This machine is not all like real world, the natural way to get root access is really nonsense, no one hide the root password inside that. But the steps, recon, exploitation and parts of privileged escalation is pretty nice.

Resources

Published by Anom

Published

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.