This room is part of the Jr Pentesting path on tryhackme and can be found at this link.
Ackme Support Incorporated has recently set up a new blog. Their developer team have asked for a security audit to be performed before they create and publish articles to the public.
It is your task to perform a security audit on the blog; looking for and abusing any vulnerabilities that you find.
Since the instructions said the company is starting a blog, start with checking out the website.
Obvious answer here, it's running Fuel CMS.
This is also listed right at the top of the page
Visiting https://cve.mitre.org/cve/search_cve_list.html and then enter fuel cms.
A quick scan reveals on CVE that allows RCE with v1.4
CVE-2018-16763 FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
Since this module was using searchsploit, firing that up with fuel cms
Trying this with python3 results in error. This means the exploit must be run with python2
Next up the application is expecting to in conjunction with burp, which isnt' the case here. The file needs to be modified as:
Once done save this as 47138_noburp.py in case it comes up again. Be sure to make the file executable as well (chmod +x filename)
└─$ python3 ./47138_noburp.py --url http://10.10.2.180/
At first this will look like php/html errors, but it's not. Look closely. In the code I added a bunch of ======= so it's easier to where the html starts and end.
shows we are in: /var/www/html/fuelcms
After a bunch of various commands (mainly pwd, cd, and ls) the file is located in /home/ubuntu
Once there cat <filename> will get the flag contents.
That's it. Thanks for reading and happy hacking!