Boxname = BBScute

difficulty = easy

Nmap scan

let’s begin the enumeration from port 80

we saw apache index page on port 80

viewing the source doesn’t reveal anything. So let’s proceed to directory brute forcing using ffuf

ffuf -w /usr/share/wordlists/dirb/common.txt  -u http://192.168.163.128/FUZZ

so, lets check the index.php directory first

we’re presented with this page below

so, let’s search for possible exploits for the software version i marked above in the pics (cuteNews 2.1.2)

i got this exploit

so, we need to have an account for us to be able to use the exploit

moving on to the registration page and let’s try to register an account.

as you can see there’s no captcha value to enter

but viewing the source revealed the captcha directory

going over to the captcha directory showed the captcha value

let’s complete our registration.

we are now authenticated so let’s use the exploit again since we’ve gotten login credentials

we got bunches of errors due to the target hostname we provided

tho it’s shows the target hostname so let’s add it to our /etc/hosts file and run the exploit again

And yeh we gained foothold on the machine

so finding the user flag using the find command as specified in the above pics gave the user flag.

Privilege escalation

i used bash to get a proper revershell (tty shell)

so checking for suid binary shows we can run hping3 as root

so lets check gtfo bins for the payloads to use in abusing the SUID binary.

using /usr/sbin/hping3 then /bin/bash/ -p gives us root.

Thanks and have a nice day.

reach out to me at twitter

Bankai TENSA ZANGETSU lol 😂😂