Ignite
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 80
(-oN nmap): Saving it into a files called nmap
Enumeration
Lets visit the website
Its a guide on how to use Fuel CMS. In the nmap scan we saw a hidden directory called /fuel
, lets visit that. It redirects us to this page.
Its a login page. At the moment we do not have credentials, so we cannot login. Lets go to searchsploit and search for exploits on this version of fuel CMS.
We can see that there are two Remote code execution vulnerabilities, lets use one of them to exploit this machine. Lets copy this exploit to our directory.
Looking through the exploit , we need to change the URL to the URL of the machine we are attacking.
After changing it, I ran the exploit.
We have remote code execution, now we can run commands from the victim machine. Lets run a reverse shell command to get a shell on the machine. We can find a reverse shell here.
Make sure to change the IP and start a netcat listener.
Before running the command, lets remove all the unnecessary code in the exploit so that we do not get any errors if something that is not of our concern does not work.
Now lets run the command and run the reverse shell command, we get a shell.
Now we can read the flag.txt
file.
Privilege Escalation
After looking around for a while, I went into the /var/www/html/fuel/application/config
directory as config files are always interesting. One file that looked very interesting to me was the database.php
file as I thought that I can find usernames and password in it.
And I did find the root password.
Now time to switch users to root.
And we are now root, we can go read the root.txt flag.
Last updated