CyberSecLabs — Simple Write up

This is a write up for Simple, from CyberSecLabs. CyberSecLabs is an amazing platform, for people who want to work upon their penetration testing skills. The best thing about this platform, is that they do not have ‘CTF style’ machines, and the machines are quite realistic. It is also a good practice for the students, preparing for OSCP.

PART 1 : USER

Nmap returned only 2 ports open, HTTP and SSH. Here, Nmap shows us that the website is using CMS made simple. Let’s go to the website for further enumeration, but before that, I always like to have some kind of enumeration going on in the background, so we will run a directory scan against the website.

At the bottom left corner of the website, we see the CMS version. Let’s check, if there are any exploits available for this particular version.

Using searchsploit we can see, there are no exploits available for CMS Made Simple 2.2.4.
But, there is an SQL Injection exploit available, which says <2.2.10. This means, all versions before 2.2.10 are prone to the exploit.

It is a Time based SQLi. Time-based SQL Injection is a technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding.

Let’s copy the exploit to our directory, and run it.

The exploit completed successfully. It found an email, and also cracked the password.

Going back to the directory scan that was running in the background, we can see there is an admin directory on the website.

We use the username and password we found, and log in.

On the website, underneath the contents directory, we have a file manager option. It allows us to upload files to the /uploads directory.

Next we copy the php reverse shell script to our directory. You can find this in the /usr/share/webshells/php/ directory by default, available in Kali. We make the necessary changes to the script by changing the IP and the PORT.

It does not allow us to upload the shell.php file, so let’s try to change the file extension to .txt and upload it. We can see, we successfully uploaded the file using the .txt extension.

For some reason, it did not allow us to rename the file, so let’s try to copy the contents of our text file to a .php file.

We successfully transferred the contents of the text file to the .php file, and it is uploaded in the /uploads directory.

Now, lets go to the /uploads directory and execute our php file. But before that let’s set up a netcat listener.

Once we set up our listener, we go to /uploads/shell.php . It will successfully give a shell back to us. We can see we are the user david on this machine.

Before moving forward, lets spawn a tty shell and capture the user flag.

Part 2 : ROOT

After the initial access, we now enumerate the box for some interesting things. I use the linux enumeration script for this, although I suggest you to learn the manual way of enumeration before using the scripts.

Once it is completed, we can see there is a SUID binary called systemctl,owned by root, which we can execute .

I came across an interesting article, which explained how we can use this binary to escalate our privileges. You can read the article here.

As mentioned in the article, we first create a systemd unit file which is where systemctl references when starting a service.

It is important to note that the User value should be set to the user we want systemctl to execute the service as. Once that is done let’s set up a listener and use systemctl to start our service. As soon as we use systemctl to start the service , we get a connection back on our machine as root.

Once we are root on the machine ,we can simply grab the flag from the root directory.

References:

https://www.exploit-db.com/exploits/46635

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store