We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-09 12:33 EDT Nmap scan report for 10.10.176.69 Host is up (0.19s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 1c:59:d1:07:ea:d8:d2:0d:9a:1a:95:0c:74:f2:e6:d0 (RSA) | 256 cd:a8:fc:b3:5c:0e:3e:12:76:80:d3:60:cb:1f:88:50 (ECDSA) |_ 256 91:57:e4:6e:1d:4e:48:ec:3a:1c:a3:c7:89:40:4b:64 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Fuel CTF Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.27 seconds
Shit here we go again lol so we have 2 open ports SSH(22) and HTTP(80) ok aheading to port 80 to see what is running.
Fuelcms cool and we have the version also 1.4.1 ok let look around the blog more so i found a credentials aslo but no luck with it.
Since we know the Fuelcms version let check if it vulnerable.
Ahhhh yea some Remote Code Execution exploit look cool let give it a try i love doing things manually why is that?? because we learn more from doing things manually that is the best way to learn.
Going through the exploit i found our the vulnerable page which can allow us to run system command with some little tweaking added.
Cool our commands works now time to get a reverse shell back to our terminal.
- we need to host the reverse shell with SimpleHTTPServer on our attacking machine
- we need to use wget to get it onto the victim machine
Now let wget it.
Now let start our ncat listener with the port we add to the reverse shell file.
Now let access the reverse shell file to get our shell back we can also confirm our file if upload on the target.
Now let get Shell.
Boom we have shell and also let spawn a TTY shell.
python3 -c 'import pty; pty.spawn ("/bin/bash")'
Going to the directory we have only one user both have no access to it.
Going through the FuelCMS folder i found the database with MYSQL login details.
mysql and i was in .
show databases; use fuelcmsdb; show tables;
Now let read fuel_users table.
SELECT * From fuel_users;
Boom we have john password in base64 now let decode it.
Decoded since we have the password now i think we have port 22 open which is SSH let log in with it.
And we are in now let check sudo.
Seems we can run vim ti get root let check gtfobins.
sudo vim -c ':!/bin/sh'
And we are root.
Greeting From Muzec