You can find the machine there > BBS (cute)
Summary
This box is a really easy but is really really good for beginners. Teach you the importance of exploit editing. We start by finding a vulnerable version of cutenews we edit the exploit and we gain command execution, privesc to root is simple we just exploit hping3. Let’s pwn it!
Enumeration/Reconnaissance
Let’s start as always with nmap.
1 |
|
We start by enumerating the port 80, we can see the default apache page. Let’s run a quick dirb
scan.
1 |
|
If we visit /index.php
we can see the CuteNews login page:
In the end we can see the version:
Shell as www-data
Let’s search for possible exploits.
1 |
|
Perfect! let’s mirror the python one in our box.
1 |
|
If we try to run it we get an error:
1 |
|
We have to edit the exploit. Simply we have to remove every CuteNews
from the URL:
Do this and save it, now let’s run it again and we can see we have command execution:
1 |
|
This shell isnt that good tho, let’s spawn a normal reverse shell:
1 |
|
1 |
|
Shell as root
Now while doing the basic enumeration, sudo -l
says we can run hping3
as root:
1 |
|
We can join the interactive mode of hping3 just by running it with no options:
1 |
|
Let’s read the flag:
1 |
|
I love such boxes! :D