Vulnhub SecTalks: BNE0x03 - Simple Walkthrough

I needed a quick and simple distraction for something more complicated that I've been working on.  A Google search for "Vulnhub Easy" turned up Simple which according to the description "focuses on the basics of web based hacking".  This was exactly what I had in mind and it probably took longer to write-up than it did to root.  I did find something interesting about the entry point which I learned after I rooted the box but I will get to that at the end of this post.

First we kick off with an Nmap scan:





At this point, it looks like our only option is the web port.  Let's take a look with a browser:





We find "CuteNews" and its version, let's see if there are any known vulnerabilities:





Excellent.  Let's see what we need to do to exploit this vulnerability:





Simple enough.  Create an account, change the avatar, tamper with the request, and we'll have an uploaded shell.  We register our account:





We head over to the profile options:





We select the option to upload an avatar:





With a renamed version of the Pentest Monkey reverse shell:





We select Save Changes with Burp in Intercept mode:





We scroll down to the portion where we find the filename:





We modify the request from .jpg to .php :






We then Forward the request from Burp.  Back at the profile page, we can get the name and location of the file:





When we paste it into the browser, it appears to be retaining an IP address from where this system was originally created:





Replacing the IP with the current IP:





With our listener setup:





We catch the shell and we see what we're dealing with.  Ubuntu 14.04.2, we look it up on Exploit-DB:





We move the exploit over to our victim, compile, and execute:





#root

One last thing, the flag:





Now here's the interesting part.  I went back through the steps for the upload process and I didn't actually need to use the .jpg version, it allowed me to upload the .php file with tampering with the request.  Not that the extra step is huge but with the version of this box I'm running, that part is not necessary.