search

🐧BBSCute

192.168.105.128

hashtag
Enumeration

Nmap scan

nmap 192.168.105.128 -p- -sV -T4 -A

hashtag
Port 22

hashtag
Port 80

Dirbuster found lots of directories. Got the service and version number. This specific version does have RCE exploits available.

hashtag
Shell

Using the exploit from https://github.com/dinesh876/CVE-2019-11447-POCarrow-up-right and creating a normal using account I was able to get a shell. Had to find the captcha.php to get the account registered.

Had the server connect back to me as the previous shell was just a webshell.

Sudo perms.

This was a little hard to get right for escalation using https://gtfobins.github.io/gtfobins/hping3/arrow-up-right

Using hping3 puts you in hping3 at a prompt then use /bin/sh -p and bamm you're root.

hashtag
Root

PreviousStaplerNextSoSimple

Last updated