SecTalks: BNE0x03 – Simple. Vulnhub’s VM Walkthrough

Page

VM available at:

https://www.vulnhub.com/entry/sectalks-bne0x03-simple,141/

It was stated on the description that there are 3 privilege escalation ways, and as usual I nailed them all.

Starting off the necessary enumerations…

nmap-results.png

nikto-results.png

dirb-results.png

Taking note of the /uploads/ directory…

By visiting the website manually on TCP Port 80, It can be seen to us that the Web Server is running:

CuteNews 2.0.3.

The following directory
/docs/
/uploads/
/core/
are all list-able.

A quick Google search shows that CuteNews 2.0.3 is vulnerable to Arbitrary File Upload

hxxps://www.exploit-db.com/exploits/37474/

Following the instructions, we proceed to register for an account. It is possible to upload a PHP reverse shell via avatar profile pic.

The vulnerability stated to use Tamper Data.
However, the POST value box was too small and it was difficult to find the extension to edit.
I fired up Burp Suite instead to edit the extension before posting.

burp-suite-edit-extension.png

We then proceed to /uploads/ directory and browse to the uploaded backdoor, while setting up a listener.

reverse-shell-success.png

Low privileged access = checked!

 

PRIVILEGE ESCALATION NO.1

uname-ar-release.png

Typical kernel-based exploitation.

hxxps://www.kernel-exploits.com/exploit/overlayfs/

(Download the pre-compiled executable for 32-bits)

kernel-exploit.png

Done!

 

PRIVILEGE ESCALATION NO.2

Local Root Race Condition exploit,

hxxps://www.exploit-db.com/exploits/37088/

local-root-race-exploit.png

Done!

 

PRIVILEGE ESCALATION NO.3

Lastly,

hxxps://www.exploit-db.com/exploits/36746/

root-36746.png

I made sure to revert the target  each time I try a new privilege escalation exploit 🙂

Ending off with the flag,

ugly-flag.png

Ugly flag.

Stay safe~

-9emin1

Advertisements