Whats up Secjuice drinkers! I have been learning about privilege escalation on linux operating system through different Vulnhub challenges and every time they surprise me. In this post I will cover VulnOS2 machine and you will see how a vulnerability in the kernel led to privilege escalation.
Make sure you have setup bridge network before starting up. In this session, IP of the box is
192.168.1.45 (you should do this using nmap's ping scan)
Using nmap scan to lookup services
nmap -A -T5 -p 22,80,6667 192.168.1.45
Let's see what is in the web
The website of pseudo company is given below. On crawling the website manually, I have found that they have a login page on
On searching, I found that current version of OpenDocMan is vulnerable to SQL injection. Read more here: https://www.exploit-db.com/exploits/32075
Using default credentials (guest:guest) to login and executing SQL injection against website to find user details. To speedup things, SQL map is at your disposal.
sqlmap -u "http://192.168.1.45/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --level 5 --risk 3 --batch -D jabcd0cs -T odm_user --dump
You can find default database of website by opening following URL
Cracking password of admin user, webmin (confirmed from odm_admin) table
Don't forget SSH server is still untouched. Let's use the login details to enter into SSH shell
Boom! Got the initial foothold.
Now let's find the find containing flag,
Also sudo, didn't work. Tried
pkexec , suid vulnerable file
This is from my experience:- if sudo or suid doesn't work, move onto kernel exploitation
This kernel is vulnerable to LPE (local privilege escalation): https://www.exploit-db.com/exploits/37292.
Now you need to download, compile and execute this exploit code
Want to discuss anything or give me any suggestion? Reach me via any of the following platform