Last updated: 15 Apr 24 09:31:48 (UTC)

Write-Up VulnUni-1

VulnUni: 1.0.1

By Lawcky 14/01/24

Introduction

Goal: Hack your University and get root access to the server.

Difficulty : easy

Additionnal info :

Name: VulnUni: 1.0.1
Release date: 20 Mar 2020
Author: emaragkos
Series: VulnUni

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • nmap
  • nikto
  • ffuf

Write-UP

ffuf

ffuf -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt:FUZZ -u http://192.168.1.94/FUZZ -fc 403

all the results ==> here

Website

we found in the html source code of the contact.html page that there was a /vulnuni-eclass-platform.html page,

on it we found the link to the login page http://192.168.1.88/vulnuni-eclass/

we find that the site is running OpenEclass version 1.7.2

SQLI using sqlmap

using this exploit

we save intercept the request using burp, which we then save into a file that we will then load into sqlmap in order to exploit it.

sqlmap -r openeclasstestlogin --level=5 --risk=3 -v

b83f375ca84bf54275aba618b13e2de6.png

we find this, which we can then use to exploit it.

sqlmap -r openeclasstestlogin -v --current-db

37913b9c09e2c29944e50e0a7d488c43.png

we now know the DB name is eclass

then we scan to see all the tables

sqlmap -r openeclasstestlogin -v -D eclass --dump

after scanning this table we discovered this table

d257bf66e14d207a6cbd400aeb24468d.png

and after a VERY long sqlmap query we get all the user’s database with the passwords stored in plaintext

sqlmap -r openeclasstestlogin -v -D eclass -T user -C username,password --dump

bfd14541ed69547b144e0c2983e98c14.png

we know have admin access over the webapplication

3b3b89c014b84eab2a3e2ddced75f33c.png

Web Application

we found these in the config file

4c5faeb4abf2bfd3213654320d4d9e05.png

lets try to create a course to upload a file

9beef0c1fdd86826744d8f6969ffbb8e.png

6f45150d2a7af4e37439c84fa17a243a.png

we were able to upload a reverse shell through the admin tools “restore a cours” which was then executed at

http://vulnuni.local/vulnuni-eclass/courses/tmpUnzipping/reverse_shell.php

94856caa6b4907e60edca8275cbfaaa8.png

68fc668278d9b0d6c3b9dc100bee181e

first flag found

Privilege Escalation

we see 2 ports that are listening in localhost

bec2fd2f6d447a762a683bdc35e54cbe.png

it may be the mysql from before

nothing inside.

DirtyCow

we download dirty cow and compile it using

gcc -pthread cowroot.c -o cowroot -lcrypt

9facf32abceed49a48db2e9f447f19b1.png

d082ff39d80cd31b21c8eaceac1f3c1c.png

it worked

a84d3391386dad522a53f86fa680df35.png ff19f8d0692fe20f8af33a3bfa6635dd second flag found

another possibility is the pwnkit executable that also ends up getting the flag

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.