VulnOS v1

After a few days of taking a break, I am now back on the Vulnhub VM’s. This is my latest attempt and I hope to significantly improve my timing of completing it. So here it goes….

Step 1 – Find out VulnOS IP

I run a quick netdiscover scan and notice that the machine is at 192.168.1.3

Step 2 – Enumerate the IP to find out open ports, service version, OS etc..

This provides the following attack surface:

  • Port 22 – OpenSSH 5.3p1 Debian 5ubuntu1.1
  • Port 23 – Telnet
  • Port 25 – Postfix
  • Port 53 – ISC BIND 9.7.0-P1
  • Port 80 – Apache httpd 2.2.14
  • Port 110 – Dovecot pop3d
  • Port 111 – Rpcbind
  • Port 139 – samba
  • Port 143 – Dovecot
  • Port 389 – ldap
  • Port 445 – Samba
  • Port 512, 513, 514 – r services
  • Port 901 – Samba SWAT administration server
  • Port 993, 995 – Dovecot
  • Port 2000 – Sieve
  • Port 2049 – nfs
  • Port 3306 – MySQL 5.1.73
  • Port 3632 – Distccd
  • Port 6667 – IRC
  • Port 8080 – Apache Tomcat
  • Port 10000 – MiniServ
  • System Name – VulnOs.home
  • OS – Ubuntu0.10.04.1 Linux 3.2 – 4.6

 

Step 3 – Enumerating web ports

Phpmyadmin found to be running…..

Logged in using default credentials root:toor

Found user credentials..

Database – Drupal 6 drupal6/drupal6
Database – mysql vulnosadmin/vulnosadmin

Logging into drupal6 and uploading php reverse shell

OS users vulnosadmin, hackme, stupiduser are present

Found htpasswd file and obtained credentials nagiosadmin / canuhack

Previously had noticed that webmin application was running. Using a file disclosure vulnerability to obtain contents of /etc/shadow

Cracked password for user vulnosadmin

Obtained root access !!!

 

 

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *