This post is a walk through of the hacking of a Virtual Machine called “Simple” which is available here: https://www.vulnhub.com/entry/sectalks-bne0x03-simple,141/
After booking up the virtual machines and ensuring they were visible to one another, I began with some simple enumeration. Several Nmap scans resulted in my finding only Port 80 was open.
I loaded up Firefox and checked out the website to find a login panel for CuteNews (v2.0.3).
I did spend a bit of time online researching CuteNews but didn’t get too many results about vulnerabilities or exploits. Looking further at the actual page itself I decided to register an account.
Once I had done that I saw that on my profile page I had the ability to upload an Avatar – or any file I wanted to actually. I tested it with a standard web shell. Within /usr/share/webshells I used one of the PHP reverse shells. Copying it to myshell.php and then editing in VIM.
I set the PORT to call out to as 1234 and entered my Kali IP address. Within Kali I opened up a netcat and listened on this port for a connection. Within my CuteNews control panel I opened up the web shell I had just uploaded and managed to connect and fall into the shell!
Using Python I spawned a bash shell:
I did some enumeration on the target – tons actually. I used excellent “Gotmilk” privilege escalation list (Link: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/). I did quite a lot around finding files with sticky bits, looking for world writable files, looking into /etc/passwd and whether the shadow file was readable, looking into /var/log and a lot of other things.
I did find that mysql user root had the password of root but this wasn’t useful unfortunately.
Doing research online I discovered a published exploit (Link: https://www.exploit-db.com/exploits/37292/) which matched up to my kernel version. This was an overlayfs privilege escalation (CVE-2015-1328). I downloaded this within the shell on the target machine.
Compiled it: gcc 37292.c -o hacky
When this was executed the exploit was successful and running the id command confirmed that I was now within a root shell!!!
This was a very fun machine and not too complicated so ideal for beginners. My thanks goes to the Author – Robert Winkel.