VulnOS 2

This is my writeup for the VulnOS 2 VM.

Step 1 – Find out VulnOS IP

Since all devices are on my home Wifi network, I run a quick netdiscover scan. The VulnOS machine is at

Step 2 – Enumerate the IP to find out open ports, service version, OS etc..

This provides the following attack surface:

  • Port 22 – OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6
  • Port 80 – Apache httpd 2.4.7 PHP/5.5.9-1ubuntu4.14 Drupal 7
  • Port 6667 – ngircd
  • OS – Ubuntu 4.14

Step 3 – Enumerating web ports

Mutiple directories found

Exploiting SQL Injection vulnerability in OpenDocMan

Logged in using SSH

Another user account vulnosadmin is present

Used a publicly available ‘overlayfs’ exploit to obtain root access


Alternate method to get root

Extract and install Hydra present in user webmin’s home directory

Use Hydra to identify postgresql password

Obtain password for user vulnosadmin

Login using SSH as user vulnosadmin and obtain the root.blend file

Viewing contents of file

Password is ‘ab12fg//drg and obtained root again !!!




Leave a Reply

Your email address will not be published. Required fields are marked *