Vulnhub – Vulnuni1.0.1 Walkthrough

We start by scanning the target with nmap –A –T4 –p- 192.168.1.12 –vv

Only port 80 is open so we scan it with dirb http://192.168.1.12 /usr/share/dirb/wordlists/big.txt

Nothing interesting so far so i fired up OWASP ZAP and i got an e-learning login page:

http://192.168.1.12/vulnuni-eclass/

I’ve searched searchsploit for GUnet Eclass and i got two results:

We can exploit the login page with BurpSuite and Sqlmap:

First we need to intercept the login (test:test) with BurpSuite and copy the results to a file

Then we start Sqlmap like sqlmap -r eclasstestlogin –level=5 –risk=3 –v and you will get something like this:

We keep Sqlmap running by sqlmap -r eclasstestlogin -v –current-db and you will get the database name:

Next command to exploit the database sqlmap -r eclasstestlogin -v -D eclass -T user -C password –dump

Now we login with the password ilikecats89 because it’s the one that worked eventually:

Next we go to Admin Tools then down there to restore a course where we can upload a shell file, we’re going to use a php file and compress it:

And with the listener port is running we get a shell back to our machine

Home directory got the user flag.txt file

Ok now the host is running Ubuntu 12.04 which we can exploit with dirtyc0w exploit, now i’ve tried different dirtyc0w exploits but just one of them is a fit dirtyc0w and the instructions is inside the exploit itself, we download the file and transfer it to the target machine with wget and then we run it and get root :

gcc -Wall -o dirtycow-mem dirtyc0w.c -ldl –lpthread

./dirtycow-mem

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s