I can’t stand when there isn’t a vulnhub walkthrough without Metasploit! So I made this vulnuni:1 vulnhub walkthrough without Metasploit for that reason.
The vulnhub vulnuni machine is a vulnerable Linux machine that is good for learning Linux privilege escalation, Linux enumeration, web app pen testing, web app hacking, how to find the Linux kernel version, and more!
Table of Contents
Recon
I could look up if there is an exploit, which is to say if this version of Apache has a vulnerability. But, it is better here to view the website and look for myself first.
The first step however is to add vulnuni.local to the /etc/hosts/ file, anyone who frequents hack the box or does a lot of vulnhub machines knows this is standard practice.
Web Enumeration
To start the web enumeration phase, I use AutoRecon, dirsearch, or dirb. Dirsearch did not find anything, so dirb was next up. Dirb found some extra pages that look interesting.
I looked through each page starting with about and viewed the page source to look for the web service name and version number.
Do a dirb search dirb http://vulnuni.local
Viewing the page source shows a comment that reveals that this is the Class Platform. This information itself is enough to find an exploit, as I found out, but looking at the new page helps narrow it down.
View http://vulnuni.local/courses
Navigating to that html file in the browser brings up the “EClass Platform” page and with it a login button, nice!
Go to the login page vulnuni.local/vulnuni-eclass/ next.
It is always worth trying the default credentials to a web app, so I try admin:admin and admin:qwerty but these don’t work.
First Exploit
Since I can’t login to the EClass web application it’s time to look for available exploits online. The first exploit requires using BurpSuite and it also requires an admin account.
The exploit works for versions under or equal to version 1.7.3 which this app is so it’s good.
Using BurpSuite is required for this first exploit. (Want to use FoxyProxy & Burp? I wrote the tutorial!) Login with test credentials and capture the request that is sent in Burp.
The next part of this exploit is to capture the login request from the login page vulnuni.local/vulnuni-eclass and save it to file. You can do this by using copy to file > save as eclasslogintest and load the request into sqlmap.
Remember we want the request and not the response.
Now for sqlmap. According to the exploit the way to load the request into sqlmap is by using the command sqlmap -r eclasslogintest –level=5 –risk=3 -v.
The next commands to run are sqlmap -r eclasslogintest -v –current-db and sqlmap -r eclasslogintest -v -D eclass -T user -C password -dump.
Second Exploit
The second exploit requires an admin account which we now have! So login to the login page again with the credentials admin:ilikecats89
The difference in these two exploits is that this one will end with me getting a shell on the target.
To complete this exploit copy the webshell from /usr/share/webshells/php-reverse-shell.php to /home/ and edit the shell to reflect your current networking settings. Set the listening port to 443. Now compress the php file to a zip format.
Now the exploit says to upload the compressed shell to a vulnuni.local/vulnuni-eclass/modules/course_info/restore_course.php.
Next start a nectat listener with nc -lvp 443. Other ports did not seem to work for me, 4444 did not work!
To execute the shell we need to reload the page. Find the URL at vulnuni.local/vulnuni-eclass/courses/tmpUnzipping/php-reverse-shell.php and wait for a shell.
The first thing to do with a Bash shell is to get a better shell. Do that by using the tty module (teletypewriter) by doing a python -c ‘import pty;pty.spawn(“/bin/bash”)’.
Now that I have a shell it’s time for the privilege escalation phase. I find the user flag first, however which is found in the www-data user’s home directory as flag.txt.
Using the uname -srm (-s kernel name / -r kernel release / -m machine name) command I see that the Linux kernel version is 3.11.0-15-generic so I will attempt to use the DirtyCow exploit.
Privilege Escalation
Someone is sighing somewhere that I am about to say to use DirtyCow, but that is the intended way to root vulnuni. In this vulnhub vulnuni walkthrough I say to use DirtyCow.
DirtyCow can be unstable, something the exploit documentation actually says. I had to compile the DirtyCow exploit 3 times actually to get a usable root shell, no kidding.
Start a simple Python web server using python -m SimpleHTTPServer 8000 and serve up the DirtyCow exploit C file.
I compile the exploit code with the native C compiler gcc and compile it according to the exploit instructions. Use the command gcc 40616.c -o cow root -pthread.
Then I execute the exploit to get a root-level shell and continue to capture the flag!
By using the command, “echo 0 > /proc/sys/vm/dirty_writeback_centisecs” right after running the exploit I noticed an upgrade in overall shell stability.
That’s it for the vulnhub vulnuni:1 walkthrough.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
