VULNOS 1
- Layout for this exercise:
1 - INTRODUCTION
- The purpose of this exercise is the study of the hacking process for the vulnerable machine VulnOS 1.
- VulnOS 1 can be downloaded from here:
https://www.vulnhub.com/entry/vulnos-1,60/
- Once VulnOS 1 downloaded and extracted with VirtualBox:
- In this vulnerable machine it happens that the number of potential vulnerabilities is very large, because there are many open ports and the corresponding associated services running.
- According to the author's suggestion all the vulnerabilities should be found.
- However, in this exercise we have limited ourselves to the search of a root shell and eventually the capture of the flag, just by exploiting the mininum amount of essential vulnerabilities to achieve our goal.
2 - ENUMERATION
- Discovering the IP with netdiscover, we learn that VulnOS 1 is assigned with 192.168.1.11:
- Scanning with Nmap the great amount of services running:
- Browsing the web:
- dirb helps to discover some of the available folders:
3 - PHPMYADMIN
- Let's go first with phpmyadmin, which default login is root plus blank password.
- However these credentials don't work in our case, probably because of the configuration:
- Using Medusa to find a valid password for username root:
- Medusa discovers root:toor, let's check whether it is correct:
- Yes, Medusa was right:
- Now, the first thing to notice is the great amount of available databases, each one with its corresponding list of usernames and password hashes.
- Let's go with the main databases one bye one.
- dolibarr:
- drupal6:
- dvwa (interesting):
- mysql:
- nowasp:
- weberp:
- CrackStation helps to decrypt most of the hashes:
https://crackstation.net/
- Gathering all these credentials we create two text files:
- users.txt: containing all the usernames and logins
- passwords.txt: containing all the decrypted passwords
4 - EXPLOITING WEBADMIN
- Now, let's focus our attention on port 10000:
- MiniServ 0.01 has got some exploits associated, for instance this Perl script that allows File Disclosure:
- Locating exploit 2017 at Kali:
- As expected, it is an executable Perl script:
- Opening the script there is an usage example line:
- Also, running the script without arguments we can learn how to use it:
- For instance let's use the script 2017.pl to read remotely /etc/sudoers available at VulnOS 1:
- Later (point 6.2 of this exercise) this Perl script will be used for achieving essential information about passwords for relevant users.
5 - EXPLOITING DVWA
- DVWA is the well-known Damn Vulnerable Web Application, basically a web application that is vulnerable on purpose:
http://www.dvwa.co.uk/
- The fact that DVWA is present at VulnOS 1 is an unvaluable gift, because it provides us with a lot of potential ways for exploitating the vulnerable machine.
- As seen before the valid credentials for DVWA are admin:password:
- Some of the recently released versions of DVWA are 1.9, 1.0.8, 1.0.7, etc ...
- Trying all of them, finally we have access to the DVWA web server:
- Let's notice that the default Security Level is set to high:
- Levering down to low:
- Taking advantage of the Command Execution vulnerability let's try to submit this PHP script:
- Before that, don't forget to set a Netcat listener at port 4444:
- Now, submitting the script:
- As a consequence a low privilege shell is succesfully achieved:
- Improving the shell:
6 - PRIVILEGE ESCALATION
6.1 - HTPASSWD
- htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users.
- Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by htpasswd.
- htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's crypt() routine.
https://httpd.apache.org/docs/2.4/programs/htpasswd.html
- Let's try to find any htpasswd file across Vulnos 1:
- Reading the file:
- Also, looking for htpasswd.users:
- John The Ripper helps to decrypt the second password:
- However this path does not lead us to anything, let's try another way.
6.2 - vulnosadmin
- Let's focus our attention on the interesting user vulnosadmin:
- Going to his home directory we find that vulnosadmin has been a successful sudoer in the past:
- Now, taking advantage of the webmin exploit at port 10000 used at point 4 of this exercise, we can get both /etc/passwd and /etc/shadow for vulnosadmin:
- Copying output to files a and b:
- Preparing the password hahes with unshadow command:
- Applying John The Ripper over file u:
- Finally we have been able to decrypt vulnosadmin user's password.
6.3 - SSH
- Using our lists from point 3 users.txt and passwords.txt (where canuhackme has been added) Medusa finds the right credentials for SSH remote shell connection:
- Now, entering SSH credentials vulnosadmin:canuhackme let's connect to Vulnos 1:
- The good news are that vulnosadmin is an (ALL)ALL sudoer:
- Changing the password for user root:
- Finally a root shell is succesfully achieved:
- Also this would be equally valid:
7 - CAPTURING THE FLAG
- Reading hello.txt:
