Simple CTF Walkthrough

Posted on

Yesterday, noticed there was a new-ish virtual machine on Vulnhub called Simple CTF. As the adventurous pioneer I am, I downloaded it and booted right up!! This is how I rooted Simple, and it was indeed…simple, haha!

A quick run down of what I did was:

  1. Service enumeration
  2. Check for vulnerabilities
  3. Exploitation
  4. Privilege Escalation
  5. Read Flag in /root

Exploits used:

  1. CuteNews 2.0.3
  2. Apport Local Root Exploit

I did an Nmap scan to see what/any services are running on my target.

Port 80 is open and CuteNews is running on it. Heading to the site, I notice a login.  Interesting…It’s running “CuteNews v.2.0.3”.

From here, I search google to see if there is an existing exploit for this particular version. Wasn’t long after I had found one.

Cutenews

After reading the exploit on Exploit-DB, I gathered what I had to:

  1. Register for an account
  2. Upload a malicious avatar
  3. Intercept the request and modify the file name to .php
  4. Call the URL and gain shell 🙂

First thing first…I had to create a PHP shell and rely on my good pal MSFvenom to generate a reverse shell for me.

Next thing I did was used the “multi/handler” within Msfconsole, set the parameters and ran my listener.

After creating my user, I navigated to upload my avatar. I set up my proxy for Burp Suite, then uploaded my picture to capture the request.

Do keep in mind when you’re reading from the database, the explanation they give will more than likely be different from your setup. Attention to detail 😉

cutenews2

After changing the file type to php and forwarding the request, I receive a GET request and took note of the file path.

Lo and behold, I caught my shell from navigating to http://192.168.126.204/uploads/avater_qwer_backdoor.php 😀

But wait! There’s more 😉 We aren’t root quite yet.

Sweet. Our kernel is 3.16.0, the distro is Ubuntu 14.

After taking note of that, I check to see if there are any root exploits that I can use against this target because who wants to be a limited user?? Not I, that’s for sure!

After searching, I came across a local root exploit that abuses Apport. According to USN-2569-1, it can be tricked into running programs as an administrator…Interesting

I move into the /tmp folder, and used wget to grab the source. After compiling with “-static”, I ran my binary and voila!! Whoami?? You know it! Rooooooooot (´▽`ʃƪ)

This was pretty fun to do and I would highly encourage anyone reading this walkthrough to hop on Vulnhub, take a seat and gain root/admin privs 🙂

Big thanks to Robert Winkel for uploading 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *