VulnOS: 2 Boot to Root VM Walkthrough

Introduction

Today I’ll be documenting how to fully compromise the VulnOS: 2 VM, created by @c4b3rw0lf.

This was a tough VM, centred around a Joomla web app. This was of particular interest to me as I’d never attempted to compromise a Joomla app prior to this VM.

Onwards!

NMap

Not a lot to go on here really. Outdated OpenSSH and Linux Kernel, an Apache server and what appears to be an IRC server on port 6667!

IRC Server

Connecting to the IRC server with WeeChat yields.. Nothing?

Running /list shows that there are no channels, so we’ll park this for now and come back to it later if need be.

Web Server

Navigating to the webapp takes us to a splash screen saying “pwn the webapp!” and pointing us to a subdirectory named “/jabc”.

First up we run the usual barrage of tools against the app (Nikto and Dirb).

Nikto Output

Loads of stuff here to manually go through here. Important takeaways for me are –

  • This is a Drupal app (guides vulnerability research)
  • There’s an xmlrpc.php file available
    • We may be able to leverage this to get the app to do things that it shouldn’t do.
  • /jabc/scripts/ has a potential system shell available according to Nikto

Dirb

Nothing hugely interesting here that isn’t available in the Nikto output.

Droopescan

After Googling for things to look for when pentesting Drupal apps, I came across this awesome library on Github. Seems to operate in a similar manner to tools like Joomscan and wpscan.

Lots of useful info here. We can use the name and README files of those modules to search for vulnerabilities 🙂 (plupload sounds like it could be interesting right?)

Manual Probing

After a few seconds of poking around the site we find an interesting Documentation page –

The ugly highlighted text was “hidden” (black text black background), it says “For a detailed view and documentation of our products please visit our documentation platform at /jabcd0cs/, just login with guest/guest”. So let’s go and do that!

OpenDocMan Pwnage

Navigating to /jabcd0cs/ takes us to this page –

So we’ve got some kind of commercial documentation management platform here. Version 1.2.7.. Let’s see if SearchSploit has any vulnerabilities for it –

 

Perfect, there are vulnerabilities for our version. Let’s read that text file and see how serious they are –

Great, privesc from guest to admin and a SQLi vuln. Let’s plumb that SQLi vulnerability into SQLMap first and see what happens.

Sadly that’s a salted SHA512 hash.. We’re not going to be able to crack that. Let’s try and get the admin user’s credentials from the jabcd0cs tables instead –

That’s more like it. Basic MD5 hash. Let’s pop it in Crackstation and see what comes out –

Success, we’ve got a password for the webmin user now. Trying the password on the main Drupal blog didn’t work, but trying it as SSH password for user webmin did work!

Privilege Escalation

So running uname -a on the box to get the Kernel version pointed me at this exploit, which appears to have a Metasploit module!

So I ran the SSH_login Metasploit module to get a session then upgraded it to a Meterpreter with sessions -u 2 which gets us to a point where we can run the kernel exploit!

But sadly executing the exploit through Metasploit failed. No idea why! I then tried pulling down the same exploit as a C file from this awesome repo on Github and manually compiled it on the box aaaand….

Done!

Conclusion

A great box. Took me a long time again as I went down the rabbithole (for hours) of looking for Drupal exploits when I should’ve been looking at the Documentation page a bit closer! Takeaways of this VM are to always look at page source on every page and to never forget to try weird web-based credentials as SSH credentials!

Add a Comment

Your email address will not be published. Required fields are marked *