Vulnhub’s BBS (cute): 1.0.1 CTF Walkthrough
BBS (cute) 1.0.1 by foxlox is described as an easy to intermediate box.
Having completed the box, I can honestly say that it’s more on the easier side than intermediate. The initial shell is very easy to find and the privilege escalation is a pretty common technique.
I used VirtualBox for this and didn’t have any problems. I imported it to VMWare, but I couldn’t find the IP through netdiscover for some reason. The author says that the box works better on VB so I would just stick to that. All right, let’s get started.
Enumeration
We’ll start off with a simple Nmap scan.
user@kali:~/Desktop$ nmap -sV -Pn -A 192.168.1.111
Starting Nmap 7.80 ( https://nmap.org ) at 2020–09–28 13:37 EDT
Nmap scan report for cute.attlocal.net (192.168.1.111)
Host is up (0.00089s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 04:d0:6e:c4:ba:4a:31:5a:6f:b3:ee:b8:1b:ed:5a:b7 (RSA)
| 256 24:b3:df:01:0b:ca:c2:ab:2e:e9:49:b0:58:08:6a:fa (ECDSA)
|_ 256 6a:c4:35:6a:7a:1e:7e:51:85:5b:81:5c:7c:74:49:84 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
88/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: 404 Not Found
110/tcp open pop3 Courier pop3d
|_pop3-capabilities: LOGIN-DELAY(10) UIDL IMPLEMENTATION(Courier Mail Server) UTF8(USER) USER PIPELINING STLS TOP
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020–09–17T16:28:06
|_Not valid after: 2021–09–17T16:28:06
995/tcp open ssl/pop3 Courier pop3d
|_pop3-capabilities: LOGIN-DELAY(10) UIDL IMPLEMENTATION(Courier Mail Server) USER PIPELINING UTF8(USER) TOP
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020–09–17T16:28:06
|_Not valid after: 2021–09–17T16:28:06
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.95 seconds
We have a couple of ports open. The first is SSH. This is running a pretty common version so there are no vulnerabilities. Next are two web servers. One of them is running on port 80 and the other running on port 88.
The web server running on port 80 is running Apache httpd 2.4.38. I decided to run a Nikto and a Dirb scan on the port to see what I could find. Nikto and Dirb gave me a few directories to look into. They both pointed to /index.php
user@kali:~/Desktop$ dirb http://192.168.1.111
— — — — — — — — -
DIRB v2.22
By The Dark Raver
— — — — — — — — -START_TIME: Mon Sep 28 13:43:14 2020
URL_BASE: http://192.168.1.111/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt— — — — — — — — -
GENERATED WORDS: 4612
— — Scanning URL: http://192.168.1.111/ — —
==> DIRECTORY: http://192.168.1.111/core/
==> DIRECTORY: http://192.168.1.111/docs/
+ http://192.168.1.111/favicon.ico (CODE:200|SIZE:1150)
+ http://192.168.1.111/index.html (CODE:200|SIZE:10701)
+ http://192.168.1.111/index.php (CODE:200|SIZE:6175)
==> DIRECTORY: http://192.168.1.111/libs/
==> DIRECTORY: http://192.168.1.111/manual/
+ http://192.168.1.111/server-status (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.1.111/skins/
==> DIRECTORY: http://192.168.1.111/uploads/
— — Entering directory: http://192.168.1.111/core/ — —
==> DIRECTORY: http://192.168.1.111/core/captcha/
==> DIRECTORY: http://192.168.1.111/core/ckeditor/
==> DIRECTORY: http://192.168.1.111/core/db/
==> DIRECTORY: http://192.168.1.111/core/includes/
+ http://192.168.1.111/core/index.html (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.111/core/lang/
==> DIRECTORY: http://192.168.1.111/core/modules/
==> DIRECTORY: http://192.168.1.111/core/tools/
— — Entering directory: http://192.168.1.111/docs/ — —
+ http://192.168.1.111/docs/index.html (CODE:200|SIZE:0)
— — Entering directory: http://192.168.1.111/libs/ — —
==> DIRECTORY: http://192.168.1.111/libs/css/
==> DIRECTORY: http://192.168.1.111/libs/fonts/
+ http://192.168.1.111/libs/index.html (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.111/libs/js/user@kali:~/Desktop$ nikto -h 192.168.1.111
- Nikto v2.1.6
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Target IP: 192.168.1.111
+ Target Hostname: 192.168.1.111
+ Target Port: 80
+ Start Time: 2020–09–28 13:42:27 (GMT-4)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie CUTENEWS_SESSION created without the httponly flag
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5af83f7e950ce, mtime: gzip
+ Multiple index files found: /index.html, /index.php
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
The /index.php directory showed a content management system with a public exploit.
CuteNews 2.1.2 has a known RCE vulnerability and a public exploit on Exploit-DB. You can download it here.
Looking through the exploit, we see that there is an extra directory in the URL path.
There is not a /Cutenews/ directory before index.php in the URL path so we need to remove it from the exploit. Once this is removed, the exploit will work as needed.
The exploit opened a pretty limited command shell. I was able to run a few commands, but I wasn’t able to cd around to a different directory. I decided to try to run a shell back to my Kali box. It turned out that NetCat was installed.
I set up a NetCat listener on port 4444 and ran the command to get an interactive shell back.
Using this python one-liner, I was able to spawn a TTY shell for better functionality.
python -c ‘import pty; pty.spawn(“/bin/sh”)’
I did some enumeration to see what kind of permissions I had. I transferred Linpeas.sh over to the target, but found that my sudo permissions allowed me to run hping3 as root.
Running the command gave me instant root access.
I grabbed the root flag.
Overall, this was a fun box. I expected it to be a little harder than it was, but it still gave me some great practice on enumeration and see what useful software was installed on the target. For more walkthroughs, you can follow me on here and on Twitter @assume_breach
