VulnOSv2 Walkthrough

I started this box with a netdiscover scan, revealing it had an IP of 192.168.0.138

Nmap scan found some open ports

SSH

Webserver with a root dir

Port 6667

Went to the website to reveal, how nice 🙂

After clicking on the link, it takes me too the web app

I browsed around the site, but didn’t notice much. I then checked the robots.txt file and found some interesting pages

I wasn’t able to request /admin/ or /?q=admin/, but was prompted with a permission denied on the later

I then tried /?q=user and was presented with a login page!

I didn’t have any login credentials, so I did another sweep through of the site. I must have skipped the Documentation page, because it revealed some good info 🙂 The page was black, and I had to highlight the text with my mouse. Guest:guest at the url /jabsd0cs

The path took me to another web app

The login site also listed a software name and version

I looked up the software in google, and got a top hit

Based on the SQLi vuln found at the first link, I loaded up sqlmap with the following:
sqlmap -u “http://192.168.0.138/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user*”

Looks like sqlmap was able to find an injection point!

I then added “–dbms mysql –dbs” to the request and received the DBs

Also dumped jabcd0cs’s user info

I tried a couple sites online to crack the md5 hash, crackstation didn’t work, but hashkiller did the trick 🙂

Not sure how I’m going to pivot from an admin user in the app to gain a remote shell, so before we go down that road, lets see if password reuse is in play.
I ssh’d to the host with the webmin credentials I found and boom, we have a limited user!

In the users home dir, we find a file called post.tar.gz. I untar’d the file to reveal hydra, ready to be compiled? This was hint that I needed to brute force something… but what?

I ran a netstat on the host to look for other listening services, and found a postgresql db..

We could probably configure and make hydra on the host, then use it to brute for a postgres account. Let do things an easier way, with SSH tunneling
On our kali host, we issue the following command
Ssh webmin@192.168.0.138 -L 5455:localhost:5432
My kali host was already listening on 5432, so I changed it to 5455

This tells our machine to redirect communication on local port 5455 to the remote 5432 on 192.168.0.138 over ssh

After we issue this commands, let’s see if we can brute force an account 🙂
I decided to ouse metasploit for the brute force, since it had a module for default postgres accounts

I changed the options

Then ran the scan, it didn’t take long and found a successful username/password!

With the postgres db username and password, we need to run pg_dumpall to dump the dbs. We use the same port tunneled the postgres

PGPASSWORD=”postgres” pg_dumpall -U postgres -h localhost -p 5455
This displayed the db’s contents

I found some interesting info, possibly 2 usernames and pw’s. Most important, vulnosadmin

PW: “c4nuh4ckm3tw1c3”
I used the still open ssh tunnel session, and su’d to vulnosadmin with the pw

I scp’d the file to my box for further inspection

I used blender to view the file:
And found the following text, what looks like a password: ab12fg//drg
I tried the pw with su root, and got root access!

Leave a Reply

Your email address will not be published. Required fields are marked *