VulnHub target machine-VulnOs-2
Download: https: //www.vulnhub.com/entry/vulnos-2,147/
After downloading drone opened under VirtualBox, network card configured for bridging
mission: provide the right to obtain the flag and
attack aircraft: kali linux 192.168.8.108
drone: 192.168.8.107
Article Directory
1. Information collection
First, nmap detects the surviving target machine
Command: nmap -sP 192.168.8.0/24
Get the target machine IP: 192.168.8.107
Scan the open port of the target machine
Command nmap -sV
-p- 192.168.8.107 Scan out ports 22, 80, 6667, corresponding services Respectively ssh, http and irc
visited the web to
view the source code and found no useful information. The web page prompts us to visit the purple connection, get the root of the system and read the final flag.
After browsing the entire site, I finally found the hidden prompt in the source code of the Documentation page.
Originally, the font color was changed to black. If you select this font on the Documentation page, you can also see the prompt
. Let us visit /jabcd0cs/
OpenDocMan 1.2.7. It is a document management system. Use searchsploit to search for vulnerabilities in
the system and download 32075.txt to
open it for viewing
Second, right escalation
There is SQL injection
using payload: http://192.168.8.107/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION SELECT 1,version(),3,4,5,6,7,8,9
can be seen The version information is displayed in the red box to prove that the vulnerability is available. Just throw the sqlmap directly. Here I will not check the database step by step. Directly post the command of the last step
: sqlmap -u "http://192.168.8.107/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --risk 3 --level 3 -p add_value -D jabcd0cs -T odm_user -C username,password --dump The
two passwords are encrypted by md5. After decryption, the password for webmin is webmin1980, and the password for guest is guest.
First log in with the webmin user to log in to ssh
successfully, check the kernel version,
use searchsploit to search for the kernel's exp,
download the exp, pass it to the target
machine, compile 37292.c on the target machine and execute
it successfully, get root permission, enter the root directory and get the flag successfully