CTF Walkthroughs, VulnHub

VulnHub – VulnOS 2 Walkthrough

January 21, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was a pretty easy Linux box that involved exploiting an SQL injection vulnerability affecting the OpenDocMan web application to gain initial access, and exploiting a Kernel Exploit affecting Ubuntu to gain root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -oA to save the output in all formats available

Enumerating Port HTTP

The default page on the web server doesn’t seem to have anything useful

The /jabc page also doesn’t seem to help

When navigating to the documentation page, some hidden text mentions a /jabcd0cs platform

When navigating to /jabcd0cs, an OpenDocMan web application is displayed, the home page reveals the version which is v1.2.7:

Exploiting SQL Injection

When using the SearchSploit tool searching for vulnerabilities in the OpenDocMan, there is one matching the version, 32075.

This includes two issues, one of which is an SQL injection, due to improper input validation:

This vulnerability allows to run MySQL queries, as an example below it is displaying the MySQL version using the following payload:

http://10.10.10.129/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9

To automate the exploitation process, the request can be intercepted with Burp Suite and saved to a text fileto use it with SQLMap later on:

Using SQLMap to exploit the SQL injection, providing the file containing the request and the –dump flag to dump the database:

A couple of user hashes were found in the odm_user table:

The hashes can be cracked using the hashes.org online cracking tool:

SSH can be used to connect to the machine with the credentials found:

Extra: Exploiting Drupalgeddon 2

This vulnerability in certain versions of Drupal allows an unauthenticated attacker to perform remote code execution on default or common Drupal installations.

The favicon used in the website discloses the application is running Drupal

Using the Droopescan tool to identify the Drupal version and any plugins:

When searching for Drupal 7 on SearchSploits a few results come up:

After trying some of the scripts, the Drupalgeddon 2 ruby exploit (44449.rb) seemed to be working. A few gems are required for this script to work:

To test for code execution, the script attempts to echo a randomly generated string of 8 characters. Then if the response matches the string that was sent it assumes that code execution is working.

After executing the script and providing Drupal URL, a shell was obtained

Privilege Escalation

After performing a lot of privilege escalation checks nothing seemed to stand out, so the next best option is to look for Kernel exploits.

Gathering operating system and kernel information:

Using SearchSploit to look for kernel exploits affecting the machine:

Mirroring the exploit from Exploit DB and setting up a Python web server to download it from the target machine:

Downloaded the exploit using wget, compiled it using gcc and after executing it, the compiled exploit granted root access.

Conclusion

This was quite a fun box, there were two ways to obtain an initial foothold although the Drupalgeddon 2 probably wasn’t the intended route. I was a bit disappointed by the privilege escalation part, it would have been nice to have something a bit more creative to exploit in order to get to root rather than a kernel exploit, which is tedious more than anything.