7MS #194: Vulnhub Walkthrough - Simple

Intro

The following is a semi-spoilerish walkthrough of the Simple VM from Vulnhub by @RobertWinkel.

Disclaimer

I'm intentionally not posting a full walkthrough with all the juicy details for a few reasons:

  1. Full (and better) walkthroughs already exist online.

  2. By not posting the full details, it allows you the chance to get just a little push in the right direction without ruining the entire challenge.

  3. I like to show my full thought, process as I do a whole lot of stuff wrong before I start making good progress. We can both likely learn something from that :-)

Write-up

An NMAP scan reveals port 80 to be open, and it peeking at that port's front page, it looks like CuteNews is the host software. BTW if you're not sure what core software a site is running, often you can find it listed in the footer, in the "view source" of the home page, or by using a browser add-in like Wappalyzer.

Next, I usually check Exploit-db right away, and in this case I struck gold. There's an exploit that allows file uploads, and if you tinker with the way the file gets uploaded, you can change the format of the file from a pic to something more evil :-). Hint: look in /usr/share/webshells for inspiration!

Once that shell is excecuted, you get a limited priv shell. I always use the following command to "power up" that shell:

python -c 'import pty; pty.spawn("/bin/bash");'

With the limited shell hooked up, I usually run unix-privesc-check, LinuxPrivChecker.py and/or Basic Linux Privesc Cheatsheet. Also, look at uname -a to ensure you're trying exploits that apply to your specific OS version(!).

Armed with this information and some persistent searching, you should find a path to root and then be sure to find/view the flag.txt!