Walkthrough Simple

I tried out another vulnerable machine. This one was called Simple. And can be found here.

So I started out as usual by locating the machine.

 $ netdiscover -r 
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                   2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 120                                                                                     
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------     e8:de:27:31:15:ee      1      60  TP-LINK TECHNOLOGIES CO.,LTD.                                                                08:00:27:60:21:5c      1      60  Cadmus Computer Systems       
nmap -A -O -T4 -p- -vv 

Only port 80 open. Si I browser over there.
I was met by an the interface of some kind of new-service called CuteNews. It had the version written on the first page. CuteNews v.2.0.3. And what I had learned from the last VM I did was that it is always a good idea to search for exploits (duh). So before going a head with dirbuster/zap/nikto/whatevs I just searched fore CuteNews in exploit-db. And that was a great idea.
So I just checked out the very first that came up, and it looked easy. It was this one. So I went ahead and created and account, renamed my php-reverse-shell.php to shell.jpg. Then I intercepted it with burp-suite and changed the name back to php.
And then I just started nc with nv -lvp 4444. And after visiting: cutenews.dev/uploads/avatar_username_shell.php I was rewarded with a shell.
I sent over my enumeration-script that I am working on with netcat.

nc -lvp 3333 > enum.sh
nc < enum.sh

I soon found out that it has the same privesc-vulnerability as the machine I was working on the other day. So I already had the exploit ready to go. It was this one. I sent it over with netcat and then compiled it with gcc, then chmod +x. And then I was root, and got the flag in the /root folder.



I felt like all the hard work before really payed off on this one. I knew the exploits, I knew how to transfer files easily. This was a great little project.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s