, ,

BBS (cute): 1.0.2



  • Enumerataton will lead to a CuteNews interface
  • Register a new user and upload a reverse shell in the Avatar
  • Change the reverse shell format to a GIF format for it to bypass upload error
  • Check sudo permission
  • Use GTFOBins to find exploit for root access


Run nmap scan to find for open ports.

Port 80

Port 88

Run a gobuster scan to find for hidden directories.


We find CuteNews interface.

Let’s register a new user , for the Captcha code we can use /captcha.php to find one.

In the profile section of the interface we are able to upload an avatar. However only a GIF format can be uploaded. We create a php revershell and add the GIF magic number on the top of the source code.

Upload is a success.

I tried finding the upload link by right clicking on the broken avatar pic.

I edited the link for my victim box as shown below.


Remember to start a netcat listener before executing the upload link and you will get a shell.

First flag is found.

Checking sudo permissions we are allowed to run hping3

Privilege escalation

Search GTFOBins for the exploit.

Able to view the final flag.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: