BBScute

Introduction

This write-up details the steps taken to solve the BBScute machine from Proving Grounds Play. The approach includes reconnaissance, enumeration, exploitation, and privilege escalation to gain root access.

Reconnaissance

I began with a full port scan using nmap to identify services and their versions:

nmap -sV -sC -p- -oA full_scan 192.168.106.128

Key Findings

Port

Service

Version/Details

SSH

OpenSSH 7.9p1 (Debian 10+deb10u2)

HTTP

Apache 2.4.38 (Debian default page)

HTTP

nginx 1.14.2 (404 Not Found page)

110

POP3

Courier pop3d

995

POP3S (SSL)

Courier pop3d

Service Analysis

SSH (Port 22)
- OpenSSH 7.9p1 (released in 2019)
- No immediately obvious exploits, but version is slightly outdated
- Host keys provided for fingerprinting
HTTP Services
- Port 80: Default Apache page ("It works")
  - Potential for hidden directories/virtual hosts
  - Server header confirms Apache 2.4.38 (Debian)
- Port 88: Nginx 1.14.2 returning 404
  - Mismatch: Port 88 is typically Kerberos, but here it serves HTTP
  - Could indicate a misconfiguration or non-standard setup
Mail Services
- POP3 (Port 110) and POP3S (Port 995):
  - Courier Mail Server implementation
  - Supports USER command with UTF8 encoding
  - SSL certificates valid for localhost/example.com (likely self-signed)

Enumeration

Port 80: Apache Web Server Enumeration

The default Apache page on port 80 suggested further enumeration. Using feroxbuster, I discovered several directories:

feroxbuster -u http://192.168.106.128 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

During the enumeration process, I identified a login page located at http://192.168.106.128/index.php.

The application appears to be running CuteNews version 2.1.2. I will proceed to investigate whether this version is vulnerable to any known exploits or security flaws.

The identified exploits for CuteNews 2.1.2 require authentication to execute. To proceed, I will attempt to create a user account by registering on the platform.

During the registration process, I could not view the CAPTCHA directly on the registration page. However, I accessed it manually at http://192.168.106.128/captcha.php to retrieve and solve it:

After successfully solving the CAPTCHA, I was able to complete the registration process and gain access to the application:

Explotation

It appears that CuteNews 2.1.2 is vulnerable to arbitrary file upload via the avatar feature, allowing us to upload a PHP shell file. Here's the process I followed:

Step 1: Create the PHP Shell

Using exiftool, I embedded a simple PHP reverse shell within the metadata of an image file. The command used was:

exiftool -Comment='<?php echo system($_GET["cmd"]); ?>' shell.png

Step 2: Upload the Shell (Requires Minimum Editor Privileges)

I uploaded the modified image file through the avatar upload functionality, attempting to bypass file restrictions by using a double extension (.png.php).

By adding the double extension, the server accepted the file:

Step 3: Accessing the Uploaded Shell

The uploaded file was accessible at the following URL: http://192.168.106.128/uploads/avatar_hacker_shell.png.php

Using this shell, I gained remote code execution (RCE).

Privilege Escalation

Upon further enumeration, I discovered that the hping3 binary has the SUID bit set, allowing it to execute with root privileges:

Since hping3 inherits elevated privileges, it can be exploited to gain root access.

Step 1: Modifying `/bin/bash` Permissions

I utilized hping3 to modify the permissions of /bin/bash, granting it the SUID bit. This enables any user to execute /bin/bash with root privileges.

Step 2: Escalating to Root

Once /bin/bash had the SUID bit set, I invoked it to escalate my privileges to root:

This successfully escalates privileges to root, allowing full control over the target system.

PreviousProving Grounds Play NextFunBoxEasyEnum

Last updated 4 months ago

BBScute

Introduction

Reconnaissance

I began with a full port scan using nmap to identify services and their versions:

nmap -sV -sC -p- -oA full_scan 192.168.106.128

Key Findings

Port

Service

Version/Details

SSH

OpenSSH 7.9p1 (Debian 10+deb10u2)

HTTP

Apache 2.4.38 (Debian default page)

HTTP

nginx 1.14.2 (404 Not Found page)

110

POP3

Courier pop3d

995

POP3S (SSL)

Courier pop3d

Service Analysis

SSH (Port 22)
- OpenSSH 7.9p1 (released in 2019)
- No immediately obvious exploits, but version is slightly outdated
- Host keys provided for fingerprinting
HTTP Services
- Port 80: Default Apache page ("It works")
  - Potential for hidden directories/virtual hosts
  - Server header confirms Apache 2.4.38 (Debian)
- Port 88: Nginx 1.14.2 returning 404
  - Mismatch: Port 88 is typically Kerberos, but here it serves HTTP
  - Could indicate a misconfiguration or non-standard setup
Mail Services
- POP3 (Port 110) and POP3S (Port 995):
  - Courier Mail Server implementation
  - Supports USER command with UTF8 encoding
  - SSL certificates valid for localhost/example.com (likely self-signed)

Enumeration

Port 80: Apache Web Server Enumeration

The default Apache page on port 80 suggested further enumeration. Using feroxbuster, I discovered several directories:

feroxbuster -u http://192.168.106.128 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

During the enumeration process, I identified a login page located at http://192.168.106.128/index.php.

The application appears to be running CuteNews version 2.1.2. I will proceed to investigate whether this version is vulnerable to any known exploits or security flaws.

The identified exploits for CuteNews 2.1.2 require authentication to execute. To proceed, I will attempt to create a user account by registering on the platform.

During the registration process, I could not view the CAPTCHA directly on the registration page. However, I accessed it manually at http://192.168.106.128/captcha.php to retrieve and solve it:

After successfully solving the CAPTCHA, I was able to complete the registration process and gain access to the application:

During further research, I identified a publicly available exploit targeting CuteNews 2.1.2: . I will proceed to analyze and test the feasibility of this exploit.

Explotation

It appears that CuteNews 2.1.2 is vulnerable to arbitrary file upload via the avatar feature, allowing us to upload a PHP shell file. Here's the process I followed:

Step 1: Create the PHP Shell

Using exiftool, I embedded a simple PHP reverse shell within the metadata of an image file. The command used was:

exiftool -Comment='<?php echo system($_GET["cmd"]); ?>' shell.png

Step 2: Upload the Shell (Requires Minimum Editor Privileges)

I uploaded the modified image file through the avatar upload functionality, attempting to bypass file restrictions by using a double extension (.png.php).

By adding the double extension, the server accepted the file:

Step 3: Accessing the Uploaded Shell

The uploaded file was accessible at the following URL: http://192.168.106.128/uploads/avatar_hacker_shell.png.php

Using this shell, I gained remote code execution (RCE).

Privilege Escalation

Upon further enumeration, I discovered that the hping3 binary has the SUID bit set, allowing it to execute with root privileges:

Since hping3 inherits elevated privileges, it can be exploited to gain root access.

Step 1: Modifying `/bin/bash` Permissions

I utilized hping3 to modify the permissions of /bin/bash, granting it the SUID bit. This enables any user to execute /bin/bash with root privileges.