Persecure : my learning archive

, ,

BBS (cute): 1.0.2

https://www.vulnhub.com/entry/bbs-cute-102,567/

Review

  • Enumerataton will lead to a CuteNews interface
  • Register a new user and upload a reverse shell in the Avatar
  • Change the reverse shell format to a GIF format for it to bypass upload error
  • Check sudo permission
  • Use GTFOBins to find exploit for root access

Enumeration

Run nmap scan to find for open ports.

Port 80

Port 88

Run a gobuster scan to find for hidden directories.

index.php

We find CuteNews interface.

Let’s register a new user , for the Captcha code we can use /captcha.php to find one.

In the profile section of the interface we are able to upload an avatar. However only a GIF format can be uploaded. We create a php revershell and add the GIF magic number on the top of the source code.

Upload is a success.

I tried finding the upload link by right clicking on the broken avatar pic.

I edited the link for my victim box as shown below.

Foothold

Remember to start a netcat listener before executing the upload link and you will get a shell.

First flag is found.

Checking sudo permissions we are allowed to run hping3

Privilege escalation

Search GTFOBins for the exploit.

Able to view the final flag.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Comments (

0

)

%d bloggers like this: