This is my writeup for the VulnOS 2 VM.
Step 1 – Find out VulnOS IP
Since all devices are on my home Wifi network, I run a quick netdiscover scan. The VulnOS machine is at 192.168.1.24
Step 2 – Enumerate the IP to find out open ports, service version, OS etc..
This provides the following attack surface:
- Port 22 – OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6
- Port 80 – Apache httpd 2.4.7 PHP/5.5.9-1ubuntu4.14 Drupal 7
- Port 6667 – ngircd
- OS – Ubuntu 4.14
Step 3 – Enumerating web ports
Mutiple directories found
Exploiting SQL Injection vulnerability in OpenDocMan
Logged in using SSH
Another user account vulnosadmin is present
Used a publicly available ‘overlayfs’ exploit to obtain root access
Alternate method to get root
Extract and install Hydra present in user webmin’s home directory
Use Hydra to identify postgresql password
Obtain password for user vulnosadmin
Login using SSH as user vulnosadmin and obtain the root.blend file
Viewing contents of file
Password is ‘ab12fg//drg and obtained root again !!!