Vulnhub BBS (cute): 1 Walkthrough

Described as an "Easy to Intermediate" boot2root, the description states:  "Really technical machine, if you are ready for certifications it will be a good tool to test yourself. You will find a very rare final exploit technique, which you have hardly seen before!

I've said this a ton of times, it's all a matter of perspective.  In my opinion, this challenge is easy.  Entry is quick and root is even quicker.

We kick off with Nmap:

A few things open but let's check out the web port:

We fire up Nikto:

Notice that it references two index pages.  We check out the other:

We notice that it's running a vulnerable version of CuteNews:

If anything is tricky here it's that the exploit doesn't work straight out of the box.  The reason being that we're not sitting in /CuteNews, we're sitting in the root folder.  If you do a find and replace to remove all references of /CuteNews -- this exploit will work.

We run the exploit:

And we get a shell-like-thing.  I want a proper shell so I move one across in text format and then I'll rename it.  This is just Pentest Monkey's reverse shell:

We execute our shell:

With our handler setup:

Checking our sudo privileges:

We can escalate from hping3.  We sudo into hping3, we check our id to make sure we're doing what we think we're doing, and for the root, we're going to add www-data to sudoers:

We sudo su to root and we have one more thing to do:

That's a wrap!