This challenge provides an opportunity to find and research vulnerabilities using open source intelligence. In this activity, I used Exploit-DB to research relevant exploits on a target machine and Netcat to create a reverse shell for remote code execution.
What is the name of the application running on the vulnerable machine?
- The first thing I need to do is enumerate my target. Therefore, I will run a port scan on it to see what services are running. To start, I will use a Stealth SYN scan alongside a Service Detection scan to retrieve the information I want.
From this output I can see that http is running on its default port. Let’s go to the browser and see what we get using the IP address.
This appears to be a default Apache page for the Fuel CMS application running on port 80. What I’m most interested in is the header of the page that gives the name of the application (Fuel CMS) as well as the version number (1.4). I know that both pieces of this information is important for our flags but I’m also going to use them to research vulnerabilities. I’ve got the first two flags for the price of one!
What is the version number of this application?
See the previous section for the answer to this question.
What is the CVE that allows an attacker to remotely execute code on this application?
I will now use the information from the default Fuel CMS webpage to research what vulnerabilities exist for REC on this version of the application. I go to Firefox and start my search using NVD. From here, I use the vulnerabilities database search field to look up “Fuel CMS 1.4.”
I scroll through the extensive list of vulnerabilities provided for this search to find CVE-2018–16763 listed as an RCE vulnerability. This is exactly what I’m looking for, and it satisfies the question.
Use open source resources to find and use relevant exploits to exploit this vulnerability.
Now that I know there is an RCE vulnerability that I can use on this application, let’s go find an actual exploit I can use to attack it. I went to Exploit-DB, used “fuel cms 1.4” as search criteria, and found 3 RCE exploits that I could use in this attack. I used the download button to download each exploit to my machine, since I may use any one of them in the attack.
What is the value of the flag located on the vulnerable machine under the /home/ubuntu directory?
- Now that I have my exploits downloaded, I need to figure out which one to use. I open up each of them to look at the code, and I’ve decided to try the one named “50477.py” first.
As you can see, I was having a hard time making this one work. I was at this for quite some time and eventually tried the other exploits I downloaded, each to no avail. So I went back to our trusty browser friend and began searching for more exploit options. That’s when I found one listed at this link. I downloaded the code on this page, saved it as exploit.py in my working directory, and ran it based on the menu directions provided.
From the instructions provided in the exploit, I knew I had to set up a Netcat listener for a reverse shell that I would ultimately use to execute the exploit. In another CLI window, I started the listener using the command nc -nlvp 1234 and then initiated the attack on the target. As you can see from the images below, I used my knowledge of the Linux filesystem to navigate to the /home/ubuntu directory where the flag resided, then I used cat to display its contents and retrieve the flag!
Closing Remarks
This challenge took me some time to figure out once I got to the exploitation phase. I was having a difficult time figuring out how to make the Exploit-DB programs run properly and get results, and eventually had to step away and re-approach the problem. After continuing my research in possible exploits, I found the one that ultimately worked. I can’t say that I found this answer on my own, as I relied on other open source articles to key me into options. However, this all goes to show that sometimes you will hit a roadblock that will trip you up. As a hacker, it is important to keep trying as many angles as possible, and use other sources of information to help you along in your attack. Cheers!