TECHNICAL

VulnHub VulnOS2 Walkthrough

A comprehensive technical walkthrough of the VulnHub VulnOS2 challenge.

Gurkirat Singh

Jul 18, 2021 • 3 min read

Whats up Secjuice drinkers! I have been learning about privilege escalation on linux operating system through different Vulnhub challenges and every time they surprise me. In this post I will cover VulnOS2 machine and you will see how a vulnerability in the kernel led to privilege escalation.

Reconnaissance

Make sure you have setup bridge network before starting up. In this session, IP of the box is 192.168.1.45 (you should do this using nmap's ping scan)

Using nmap scan to lookup services

nmap -A -T5 -p 22,80,6667 192.168.1.45

Let's see what is in the web

The website of pseudo company is given below. On crawling the website manually, I have found that they have a login page on /jabcd0cs

On searching, I found that current version of OpenDocMan is vulnerable to SQL injection. Read more here: https://www.exploit-db.com/exploits/32075

Exploitation

Using default credentials (guest:guest) to login and executing SQL injection against website to find user details. To speedup things, SQL map is at your disposal.

sqlmap -u "http://192.168.1.45/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --level 5 --risk 3 --batch -D jabcd0cs -T odm_user --dump

You can find default database of website by opening following URL

http://[host]/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,database%28%29,3,4,5,6,7,8,9

Cracking password of admin user, webmin (confirmed from odm_admin) table

Initial Foothold

Don't forget SSH server is still untouched. Let's use the login details to enter into SSH shell

Boom! Got the initial foothold.

Now let's find the find containing flag, flag.txt

Also sudo, didn't work. Tried pkexec , suid vulnerable file

Privilege Escalation

This is from my experience:- if sudo or suid doesn't work, move onto kernel exploitation

This kernel is vulnerable to LPE (local privilege escalation): https://www.exploit-db.com/exploits/37292.

Now you need to download, compile and execute this exploit code

Want to discuss anything or give me any suggestion? Reach me via any of the following platform

LinkedIn: https://www.linkedin.com/in/gurkirat--singh/
Twitter: https://twitter.com/tbhaxor