BBSCute
Navigating to port 80 in the browser lands us on the default install page for Apache.
Running dirsearch.py
against the target web servers reveals index.php
Index.php takes us to the login page for CuteNews. I tried some default credentials and was unable to access the system.
Instead we can register ourselves as a new user to access. On the register new user page we are not able to load the captcha which stops us from proceeding:
Reviewing the source of this page shows we do have a link for captcha.php.
Viewing this will show what the current captcha should be.
Entering this into the registration field will allow us to proceed with new user creation.
We can see that we are running CuteNews 2.1.2 as per the footer of the page. Searching for exploits with searchsploit
shows the results below.
Searching further on Google for exploits we come across a PoC on GitHub located here: https://github.com/CRFSlick/CVE-2019-11447-POC.
Download the python script and the sad.gif
files to the same directory. Run with the syntax shown below.
We can now run the following command to get a more usable reverse shell on a different listener:
From here I uploaded linpeas
which after executing identified the binary hping3 as having a SUID bit set. Meaning we can execute the binary with root permissions.
Then as per GTFOBins we can executed with the SUID bit to gain a root shell.