Walkthrough for the Exploit Vulnerabilities/CMNatic Bookstore from TryHackMe

The Exploit Vulnerabilities/CMNatic Bookstore is the second room in a series of three done by cmnatic (https://tryhackme.com/p/cmnatic) to teach people about software vulnerabilities. The first four tasks are theory questions but the last task does involve doing some manual exploitation of a vulnerable machine.

The room is available at https://tryhackme.com/room/exploitingavulnerabilityv2

Question 1: Start the machine

Question 2: Would you use an automated scanner? (Yay/Nay)

Question 2 Answer: Hint – Which is faster

Question 3: What vulnerability is this?

Question 3 Answer: Hint – You would need to input harmful code.

Question 4: You manage to impersonate another user. What vulnerability is this?

Question 4 Answer: Hint – Look at the table of different vulnerabilities.

Question 5: What website would you use as a security researcher if you wanted to upload a Proof of Concept?

Question 5 Answer: Hint – Very popular code hosting site owned by Microsoft

Question 6: You are performing a penetration test at a site with no internet connection. What tool could you use to find exploits to use?

Question 6 Answer: Hint – offline tool installed on Kali Linux

Question 7: What type of vulnerability was used in this attack?

Question 7 Answer: – Hint – Acronym is RCE

Question 8: Find out the version of the application that is running. What are the name and version number of the application?

Question 8 Answer: Hint – Look at the bottom Right Hand Side of the Page

Question 9: Use this exploit against the vulnerable machine. What is the value of the flag located in a web directory?

This is where the theory stops and the practical begins

Run the following command:

searchsploit Online Book Store

Or you can use Exploit Database (https://www.exploit-db.com) and search for Online Book Store. There are several options but the Unauthenticated Remote Code Execution exploit is the best option.

Download/copy the python file to your home directory. Then run the following command:

python3 47887.py http://x.x.x.x/ 

Obviously change x.x.x.x to the IP address of the machine.

Answer y when the script asks if: Do you wish to launch a shell here?

The exploit will launch a shell which looks like this: RCE

Change directory to /var/www/html/bootstrap/img

Then just look for the flag.txt and view it – Paste the contents into the last question and you are done

2 thoughts on “Walkthrough for the Exploit Vulnerabilities/CMNatic Bookstore from TryHackMe

  1. hello i tried that but i got this error and i can’t solve the room. Can u help me plz.

    python 47887.py 10.10.51.246
    > Attempting to upload PHP web shell…
    Traceback (most recent call last):
    File “47887.py”, line 28, in
    r = requests.post(url + ‘/admin_add.php’, files=file, data={‘add’:’1′}, verify=False)
    File “/usr/lib/python3/dist-packages/requests/api.py”, line 112, in post
    return request(‘post’, url, data=data, json=json, **kwargs)
    File “/usr/lib/python3/dist-packages/requests/api.py”, line 58, in request
    return session.request(method=method, url=url, **kwargs)
    File “/usr/lib/python3/dist-packages/requests/sessions.py”, line 506, in request
    prep = self.prepare_request(req)
    File “/usr/lib/python3/dist-packages/requests/sessions.py”, line 449, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
    File “/usr/lib/python3/dist-packages/requests/models.py”, line 305, in prepare
    self.prepare_url(url, params)
    File “/usr/lib/python3/dist-packages/requests/models.py”, line 379, in prepare_url
    raise MissingSchema(error)
    requests.exceptions.MissingSchema: Invalid URL ‘10.10.51.246/admin_add.php’: No schema supplied. Perhaps you meant http://10.10.51.246/admin_add.php?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s