This is going to be a write up of VulnOS2 from TryHackMe.com.
TryHackMe it's an ethical hacking platform, with vulnerable by design machines, made for other users to test their skills.
To deploy the machine join the room, and click the Deploy button. Let's start.
The first thing we're gonna to, it's a nmap scan.
The flags used are:
-sC to run a script based scan
-sV to run version detection scan
-Pn to consider the host alive
We notice the port 80 is open, so we open a browser and access the webpage.
By clicking "website" we are redirected to another page. By navigating the page, we reach the Documentation page, and viewing the web page, we see the following:
For a detailed view and documentation of our products, please visit our documentation platform at /jabcd0cs/ on the server. Just login with guest/guest. We access that directory, and login with the details provided.
Looking up information about the OpenDocMan version, we find out there is a SQL injection vulnerability. We can also inject that parameter without being authenticated.
We fire up SQLMap to retrieve the database/s.
The flags used are:
-p - to make SQLMap inject only the add_value parameter
-batch - to instruct to follow the sqlmap defaults
-risk and level - are extended tests, defaults are 1
-skip-waf - is to skip WAF checking
-dbs - to retrieve the database/s
We will dump the user and password from jabd0cs database. The user is webmin, and the password is webmin1980.
We can use the dumped user and password to connect to the SSH, on port 22.
After a little manual enumeration, we see the kernel version is 3.13.0-24, which is pretty old. We can look up some kernel exploits
You can use this GitHub repo, where are hosted multiple linux kernel exploits: https://github.com/lucyoa/kernel-exploits/tree/master/overlayfs
Download the exploit and use python http server to download the exploit to the vulnerable machine.
To start the python server use the following command:
python -m SimpleHTTPServer 80
Now retrieve the downloaded file, using wget:
Set the right permission to the file:
chmod +x ofs_32
Execute the exploit:
Now, you're root.
You can retrieve the flag from /root directory.