Saturday, June 4, 2016

SecTalks: BNE0x03 - Simple ~ VulnHub

BNE0x03 - Simple ~ VulnHub

Simple

Environment:
Attacker: Kali Linux 2016
Vulnerable Machine: Simple
URL: https://www.vulnhub.com/entry/sectalks-bne0x03-simple,141/
VMWare Workstation 12 Player
Networking: Host-based Internal
Target: /root/flag.txt

 Walk-Through: 

1) Find IP

Using netdiscover -i eth0 -r 192.168.204.0/24 I am able to find what IP the VM is utilizing. 

 

It looks like 192.168.204.132 is the target.

2)  Find open ports

Using nmap I can see what ports are open.



Looks like port 80 is open and that there is a service running on it.

3) Get more info

Using Nikto I am able to get a little more information about the service that is running.



Looks there there are some files to look into.

4) What's availible

First let me go directly to the web server and see what it shows me.
 
I'm given a basic login page. It does tell me that  the web server is running CuteNews 2.0.3. I also looked into the other files.


While they give some good information, they don't give me much help.

5) Exploit DB

Since I have the name of the service let me take a look to see if there are any exploits for it.



A quick search returned the above vulnerability https://www.exploit-db.com/exploits/37474/

This vulnerability tells you to create a user, login and then use the upload an avatar photo to upload a php script as a .jpg

6) Exploiting CuteNews

I was able to register a new account using some fake credentials. No email check required.



Once logged in you are given the ability to go to Personal options.



This gives me the option to upload a file for use as an avatar picture. Instead I will upload the following php script as a .jpg and use tamper data to change it to a php file.



I have changed the ip to my attacker machine IP. This is the machine that will listen for the reverse shell on port 1234.

7) Tamper Data



I opened up tamper data and started tamper so that I can watch as I upload my "jpg" file.



Hitting tamper brings up the data that is being sent. POST_DATA is going to be the information that I want to tamper with.



Moving that data to a notepad gives me the following.



I found the filename within the data being sent. This is going to be the information that I need to change. I need my file name to be shell.php so that I can execute it later.






Now I can paste this information back into POST_DATA and hit okay to submit that data as well. I am prompted to tamper a few other pieces of data, but I don't need to tamper them. I get confirmation on the index.php page that my file has been uploaded.

8) Reverse Shell

I little bit of research showed me that the avatar pictures are stored in the /uploads/ directory.


My PHP code is stored here. Now I need to setup a netcat listener so that I can capture the shell when I run the code.



Now all I need to do is run my code and I'm in.



From the above screen capture I can see that the box is running Ubuntu 14.04.1. I will need to keep that in mind going forward.

9) /bin/bash

The first thing I do with a limited shell is to get a /bin/bash shell to make it easier to get around the box. The following python script will work for any box that has python on it.

 

10) Find an exploit

Exploit DB has an exploit for Ubuntu 14.04 (CVE 2015-1328) that will escalate my privileges at this address: https://www.exploit-db.com/exploits/37292/. Now I just need to get it on the box.



11) Uploading exploit to box

Using netcat I am able to upload files into the /tmp directory of the box. I can upload the exploit that I found earlier to escalate my privileges.



12) Root shell

I am able to compile and run the exploit in the /tmp directory.




13) Beer!!!

With a root shell I am able to get into the root directory and read the flag.