In this post I will be going over the VulnHub machine : VulnOS 2 and how I got root.
Initally it started with scanning the host with onetwopunch. It reveals ssh, apache and iirc.
I begin scanning the host with gobuster while running nikto. On completion, nikto doesn’t show anything useful, but gobuster finds a folder named ‘jabc’ which gives something for an attack vector.
The web application appears to be a simple company website, but on inspection of the source website shows of a ‘hidden’ folder /jabcd0cs/ with the username ‘guest’ and password ‘guest’.
I first begin by attempting to upload a meterpreter php shell but was not able to have it run on the host.
After doing a search of OpenDocMan v1.2.7 for known vulnerabilities, I identify an exploit that allows for a remote attacker to upload an SQL query through a html file that allows a user ID to be the same as admin’s ID. After testing, this does work and we have the logged on user account with admin privileges. Unfortunatly, this only yields us the access to the admin section but unable to turn it into a shell on the host.
Once again checking the OpenDocMan v1.2.7 exploit page, shows of SQLi exploit which can be run in SQLmap. The exploit does work and we are able to dump the password of OpenDocMan v1.2.7 application.
Despite having admin access to OpenDocMan v1.2.7 we only had the option to change the password. Had the password been changed, it would’ve made it tough to login. As the md5 hash password once decrypted is the login password to the webmin account on ssh.
Now with a remote shell on the host, only as a low privilege user, we are able to elevate to root permissions with a kernel exploit after uploading it to /tmp/ with wget from my apache server.
Since we are root we have the flag.txt in /root/