VM available at:
It was stated on the description that there are 3 privilege escalation ways, and as usual I nailed them all.
Starting off the necessary enumerations…
Taking note of the /uploads/ directory…
By visiting the website manually on TCP Port 80, It can be seen to us that the Web Server is running:
The following directory
are all list-able.
A quick Google search shows that CuteNews 2.0.3 is vulnerable to Arbitrary File Upload
Following the instructions, we proceed to register for an account. It is possible to upload a PHP reverse shell via avatar profile pic.
The vulnerability stated to use Tamper Data.
However, the POST value box was too small and it was difficult to find the extension to edit.
I fired up Burp Suite instead to edit the extension before posting.
We then proceed to /uploads/ directory and browse to the uploaded backdoor, while setting up a listener.
Low privileged access = checked!
PRIVILEGE ESCALATION NO.1
Typical kernel-based exploitation.
(Download the pre-compiled executable for 32-bits)
PRIVILEGE ESCALATION NO.2
Local Root Race Condition exploit,
PRIVILEGE ESCALATION NO.3
I made sure to revert the target each time I try a new privilege escalation exploit 🙂
Ending off with the flag,