Web
Nmap discovered a web server on the target port 80
The service running is Apache httpd 2.4.18
Webroot
The web application provide a news service
There are a dozen of publications made by users with some comments in them
the footer indicates that the web application is powered by cutenews
based on the official website of cutenews, it appears to be a type of CMS that is specifically designed for managing news
Fail2Ban
An interesting post by the admin user caught my eye.
Fail2Ban is basically a security measure for brute-force authentication attempts as well as fuzzing
Attempting to fuzz the web server indeed caused blocking the source IP.
Basically. I got banned.
Admin Panel
There is a login page for the admin panel at /CuteNews/index.php
I tried both weak and default credentials and none of them work.
The footer here shows the version information; CuteNews 2.1.2
Password Reset
Clicking into the (Lost password) button takes me to a password reset page.
It just seems to reset the password with 3 input without properly validating the existing user
Attempting to reset the password for the admin user leads to failure with an error message suggesting that I haven’t provide a value to a required field; email
There was no field named, email.
Intercepting the POST request through Burp Suite reveals that there is indeed a parameter called, email. It’s just that the parameter wasn’t represented correctly to the client side as it showed Confirm Password.
This tells me that the web server validates the existing user.
Sign-up
Clicking into the Register button takes to a sign-up form.
I will create a testing account
Upon signing up, I got automatically authenticated as the testing user and re-directed to the admin panel
Clicking into the Personal Options button reveals a page where I can edit the account information
While I see a potential file upload vulnerability via changing the Avatar, I will check for vulnerabilities since I know of the version
Vulnerability
┌──(kali㉿kali)-[~/archive/htb/labs/passage]
└─$ searchsploit CuteNews 2.1.2
------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------- ---------------------------------
CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit) | php/remote/46698.rb
CuteNews 2.1.2 - Arbitrary File Deletion | php/webapps/48447.txt
CuteNews 2.1.2 - Authenticated Arbitrary File Upload | php/webapps/48458.txt
CuteNews 2.1.2 - Remote Code Execution | php/webapps/48800.py
------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsCuteNews 2.1.2 has multiple vulnerabilities, and one of them confirms the file upload vulnerability that I pointed out earlier.
┌──(kali㉿kali)-[~/archive/htb/labs/passage]
└─$ head 48800.py
# Exploit Title: CuteNews 2.1.2 - Remote Code Execution
# Google Dork: N/A
# Date: 2020-09-10
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://cutephp.com/cutenews/downloading.php
# Software Link: https://cutephp.com/cutenews/downloading.php
# Version: CuteNews 2.1.2
# Tested on: Ubuntu 20.04, CuteNews 2.1.2
# CVE : CVE-2019-11447Checking one of the exploits reveals the CVE number; [[Passage_CVE-2019-11447#CVE-2019-11447|CVE-2019-11447]] Moving on to the Exploitation phase