Updated: May 25, 2020
In this article we are going to solve another boot2root challenge VulnUni:1.0.1 . This is a beginner level machine , we can download this machine from vulnhub.
our first step is to find the IP address of the target using the command netdiscover -i wlan0 .
next step is to check for the open ports ,command used : nmap -A 192.168.43.8
As we can see that only 1 port is open i.e port 80 so we decided to enumerate this port.
we started to explore this web application and we found a very interesting comment in the source code of Courses tab .
This comment lead us to a new page , so we decided to open this webpage .
at that page we found a login button and now we are at login panel . it is a eclass login platform where we can manage the courses and other things , we tried different combinations but failed to login so we decided that last option is to try SQL injection , we tried to do it manually but failed so we decided to use a tool , sqlmap . (we are getting some error so what we do is we added the domain name as vulnuni.local in /etc/hosts file and then run the command : sqlmap --url http://vulnuni.local/vulnuni-eclass/ --forms --dbs
we decided to use this database to fetch all the details and we use the command : sqlmap --url http://vulnuni.local/vulnuni-eclass/ --forms -D eclass --tables
Now we will fetch the data of table user using the command : sqlmap --url http://vulnuni.local/vulnuni-eclass/ --forms -D eclass -T user --dump
(I have hide the username and password of all the users,because I want that you people perform the same task from start and understand each and every command, So that you can learn something,if you feel completely stucked then contact me at email@example.com)
Now we decided to login into the eclass platform using the admin credentials we found.
Now we explore this webpage , but we failed to find any way to upload and run the reverse shell script . So we search on the internet about GUnet and find a exploit there that says to make a zip file of the reverse shell code file and upload it in
Admin tools -> Restore course-> upload zip file .
we uploaded the zip file and can access by visiting the URL.
we open the directory tmpUnzipping/ and there we found the shell code file and execute it by clicking on it (dont' forget to start the listener using the command nc -nvlp 1234).
now we change our directory to /home and there we found a user vulnuni and after changing the directory to /vulnuni we found our first flag.
Now by using the command uname -a we found that kernel version is vulnerable to dirty cow exploit ,click here to get the exploit . So now we transfer this exploit in the targeted machine and compile the binary and then run it and boom we are root now!!
we are root now and this completes our challenge!