Let’s start with nmap to determine what services are running.

nmap -p- -sV


So there is a web server, SSH and IRC running.
Let’s start of with the web server.



There are a lot of directories but none really stick out. Time to look at all the pages.
On there is a empty page.
But when looking at source (or CTRL+A) there is a hidden message which refers to another site with login possibilities (guest:guest).

At first glance there is a notification on what the site is running on.
OpenDocMan v1.2.7 → document management software.
Let’s see what there is to find about this piece of software on exploit-db.

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.

SQL Injection in OpenDocMan: CVE-2014-1945

The vulnerability exists due to insufficient validation of “add_value” HTTP GET parameter in “/ajax_udf.php” script. A remote unauthenticated attacker can execute arbitrary SQL commands in application’s database.

So there is a SQL injection possible on the value_add. Let’s start up sqlmap.

sqlmap -u ‘’ -p add_value –current-db


sqlmap -u ‘’ -p add_value -D jabcd0cs –dump


A quick look on learns that the hash is:

Let’s upload a shell file.
Hmmmm…..restricted. Oh well.
Let’s adjust the filter types.

Add document: text/x-php

Let’s try again.

now let’s start listening.

nc -lvnp 31337

And let’s view the document.
Crap….only option is downloading it. Not running it.
That’s no good.


So let’s try this angle.

nc -p 22 -l webmin
password: webmin1980

Let’s get proper shell.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Let’s look around. Some interesting directories.
and off course /root

Both restricted. Let’s get root.

lsb_release -a


We know the server runs on Ubuntu 14.04.
So let’s try the overlayfs exploit (

cd /tmp
gcc overlayfs.c -o overlayfs
chmod 755 overlayfs


Et voila……root!

Now let’s check those dirs again.
The dir vulnosadmin has a strange file in it: r00t.blend

file r00t.blend
r00t.blend: Blender3D, saved as 32-bits little endian with version 2.77

The root dir has got the flag:




Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen. logo

Je reageert onder je account. Log uit /  Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit /  Bijwerken )


Je reageert onder je Twitter account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )

Verbinden met %s