Friday, 6 May 2016

BNE0x03 challenge

Hi again,
Today I would like to present BNE0x03 walkthrough.

So, as always we should find our target
root@osboxes:~# nmap -sP

Starting Nmap 6.47 ( ) at 2016-05-06 09:02 BST
Nmap scan report for
Host is up (0.0018s latency).
MAC Address: 00:0C:29:4E:16:F6 (VMware)

root@osboxes:~# nmap -sV

Starting Nmap 6.47 ( ) at 2016-05-06 09:05 BST
Nmap scan report for
Host is up (0.0011s latency).
Not shown: 999 closed ports
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

Scanning all ports does not give us differnt result.
Now, we browse our target

Maybe exist some exploit for CuteNews v.2.0.3? I don't know, but probably I will verify it.
Let's run dirb now.
root@osboxes:~# dirb


==> DIRECTORY:                                     
==> DIRECTORY:                                     
+ (CODE:200|SIZE:1150)                       
+ (CODE:200|SIZE:2487)                         
+ (CODE:403|SIZE:293)                      
==> DIRECTORY:                                    
It looks interesting, probably the application has upload feathure.
I was trying bypass authentication via SQL Injection but without success. But I found exploit to CuteNews 2.0.3.
 # Exploit  :
Vuln :
 1 - Sign up for New User
 2 - Log In
 3 - Go to Personal options
 4 - Select Upload Avatar Example: Evil.jpg
 5 - use tamper data  & Rename File Evil.jpg to Evil.php
-----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\
6 - Your Shell :
OK, so we have to follow the instruction. I register some account
 and I am logged into the application now :-)

Great, now we have to go to the Personal options and upload our avatar (reverse shell). I have uploaded my reverse shell file and I have got

Excellent we have got limited shell.
$ uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
I know that all what we need is exploit to get root privileges. I found Ubuntu 14.04 LTS, 15.10 - overlayfs Local Root Exploit.
I leave you now at this stage to complete the challenge as an exercise for you :-)

Game over!