Vulnhub Walkthrough – “Simple”

This post is a walk through of the hacking of a Virtual Machine called “Simple” which is available here: https://www.vulnhub.com/entry/sectalks-bne0x03-simple,141/

After booking up the virtual machines and ensuring they were visible to one another, I began with some simple enumeration.  Several Nmap scans resulted in my finding only Port 80 was open.

 

I loaded up Firefox and checked out the website to find a login panel for CuteNews (v2.0.3).

 

 

I did spend a bit of time online researching CuteNews but didn’t get too many results about vulnerabilities or exploits.  Looking further at the actual page itself I decided to register an account.

 

Once I had done that I saw that on my profile page I had the ability to upload an Avatar – or any file I wanted to actually.  I tested it with a standard web shell.  Within /usr/share/webshells I used one of the PHP reverse shells.  Copying it to myshell.php and then editing in VIM.

 

 

I set the PORT to call out to as 1234 and entered my Kali IP address.  Within Kali I opened up a netcat and listened on this port for a connection.  Within my CuteNews control panel I opened up the web shell I had just uploaded and managed to connect and fall into the shell!

Using Python I spawned a bash shell:

 

I did some enumeration on the target – tons actually.  I used excellent “Gotmilk” privilege escalation list (Link: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/).  I did quite a lot around finding files with sticky bits, looking for world writable files, looking into /etc/passwd and whether the shadow file was readable, looking into /var/log and a lot of other things.

I did find that mysql user root had the password of root but this wasn’t useful unfortunately.

 

 

Doing research online I discovered a published exploit (Link: https://www.exploit-db.com/exploits/37292/) which matched up to my kernel version.  This was an overlayfs privilege escalation (CVE-2015-1328).  I downloaded this within the shell on the target machine.

 

Compiled it: gcc 37292.c -o hacky

 

 

When this was executed the exploit was successful and running the id command confirmed that I was now within a root shell!!!

 

 

 

This was a very fun machine and not too complicated so ideal for beginners.  My thanks goes to the Author – Robert Winkel.

 

 

 

 

 

Author

Leave a Reply

Your email address will not be published. Required fields are marked *