Tuesday, September 11, 2018

VulnOS 2


- Layout for this exercise:


- The purpose of this exercise is to get a remote root shell and the flag.txt at the vulnerable machine VulnOS 2.

- The vulnerable machine VulnOS2 can be downloaded from here:,147/

- Once extracted and downloaded VulnOS 2 with VirtualBox:


- Discovering the IP with netdiscover:

- Scanning all ports with Nmap:

- Browsing the web server:

- Viewing the source of the Documentation tab there is a self explanatory line:

- Going to the folder /jabcd0cs we find that OpenDocMan v1.2.7 is used:


- OpenDocMan v1.2.7 is vulnerable to this exploit:

- Searching for the exploit at Kali:

- Reading the text file 32075.txt there are some advisory details:

- Inserting the example above into an Sqlmap command and adapting to our needs we are able to find 6 databases:

- Dumping all content for database jabcd0cs we find a couple of username/password MD5 hashes:

- Decrypting:

- By the way, at the bottom of the web home page we can read this, what it is obviously a hint for the password webmin1980:

- Connecting with SSH and credentials webmin:webmin1980 a low privilege shell is achieved:


- Improving the shell:

- Checking Linux distro (Ubuntu 14.04) and kernel (3.13):

- Ubuntu 14.04 and kernel 3.13 are vulnerable to a Local Privilege Escalation exploit:

- Searching for the exploit at Kali:


- Setting a Simple HTTP Server at port 8000:

- From VulnOS 2, downloading the exploit to folder /tmp:

- Compiling 37292.c:

- Running the exploit 37292 f
inally we get a remote root shell from VulnOS 2:


- Last step is just reading the flag.txt:

Monday, September 10, 2018

VulnOS 1


- Layout for this exercise:


- The purpose of this exercise is the study of the hacking process for the vulnerable machine VulnOS 1.

- VulnOS 1 can be downloaded from here:,60/

- Once VulnOS 1 downloaded and  extracted with VirtualBox:

 - In this vulnerable machine it happens that the number of potential vulnerabilities is very large, because there are many open ports and the corresponding associated services running.

 - According to the author's suggestion all the vulnerabilities should be found.

- However, in this exercise we have limited ourselves to the search of a root shell and eventually the capture of the flag, just by exploiting the mininum amount of essential vulnerabilities to achieve our goal.


- Discovering the IP with netdiscover, we learn that VulnOS 1 is assigned with

 - Scanning with Nmap the great amount of services running:

- Browsing the web:

- dirb helps to discover some of the available folders:


- Let's go first with phpmyadmin, which default login is root plus blank password.

- However these credentials don't work in our case, probably because of the configuration:

- Using Medusa to find a valid password for username root:

- Medusa discovers root:toor, let's check whether it is correct:

- Yes, Medusa was right:

- Now, the first thing to notice is the great amount of available databases, each one with its corresponding list of usernames and password hashes. 

- Let's go with the main databases one bye one.

- dolibarr:

- drupal6:

- dvwa (interesting):

- mysql:

- nowasp:

- weberp:

 - CrackStation helps to decrypt most of the hashes:

- Gathering all these credentials we create two text files:

  • users.txt: containing all the usernames and logins
  • passwords.txt: containing all the decrypted passwords


- Now, let's focus our attention on port 10000:

- MiniServ 0.01 has got some exploits associated, for instance this Perl script that allows File Disclosure:

- Locating exploit 2017 at Kali:

- As expected, it is an executable Perl script:

- Opening the script there is an usage example line:

- Also, running the script without arguments we can learn how to use it:

- For instance let's use the script to read remotely /etc/sudoers available at VulnOS 1:

- Later (point 6.2 of this exercise) this Perl script will be used for achieving essential information about passwords for relevant users.


DVWA is the well-known Damn Vulnerable Web Application, basically a web application that is vulnerable on purpose:

- The fact that DVWA is present at VulnOS 1 is an unvaluable gift, because it provides us with a lot of potential ways for exploitating the vulnerable machine.

- As seen before the valid credentials for DVWA are admin:password:

- Some of the recently released versions of DVWA are 1.9, 1.0.8, 1.0.7, etc ...

- Trying all of them, finally we have access to the DVWA web server:

- Let's notice that the default Security Level is set to high:

- Levering down to low:


- Taking advantage of the Command Execution vulnerability let's try to submit this PHP script:

 - Before that, don't forget to set a Netcat listener at port 4444:

- Now, submitting the script:

- As a consequence a low privilege shell is succesfully achieved:

- Improving the shell:



- htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users. 

- Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by htpasswd

- htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's crypt() routine.

- Let's try to find any htpasswd file across Vulnos 1:

- Reading the file:

- Also, looking for htpasswd.users:

- John The Ripper helps to decrypt the second password:

- However this path does not lead us to anything, let's try another way.

6.2 - vulnosadmin

- Let's focus our attention on the interesting user vulnosadmin:

- Going to his home directory we find that vulnosadmin has been a successful sudoer in the past:

- Now, taking advantage of the webmin exploit at port 10000 used at point 4 of this exercise, we can get both /etc/passwd and /etc/shadow for vulnosadmin:

- Copying output to files a and b:

- Preparing the password hahes with unshadow command:

- Applying John The Ripper over file u:

- Finally we have been able to decrypt vulnosadmin user's password.

6.3 - SSH

- Using our lists from point 3 users.txt and passwords.txt (where canuhackme has been added) Medusa finds the right credentials for SSH remote shell connection:

- Now, entering SSH credentials vulnosadmin:canuhackme let's connect to Vulnos 1

- The good news are that vulnosadmin is an (ALL)ALL sudoer:

- Changing the password for user root:

- Finally a root shell is succesfully achieved:

- Also this would be equally valid:


- Reading hello.txt: