Fuel
Last updated
Was this helpful?
Last updated
Was this helpful?
A web server on port 80 is open
And looks like it is running Fuel CMS on version 1.4
I found an RCE exploit on searchsploit
First, let's mirror the exploit to our machine
Edit the IP address portion in the script, as well as the proxy part but if you will going to use burp suite, it's fine to leave it like that. And also make sure you're running it with Python 2, and requests library is installed.
When you run the script it will look like this.
Now we got an initial shell, but let's stabilize this by uploading a PHP reverse shell
Save any PHP reverse shell in a file, but I used this shell in this walkthrough: https://github.com/ivan-sincek/php-reverse-shell
Before uploading make sure your HTTP server is setup
Set a netcat listener and upload your shell
To trigger your shell, you have to go to your browser and visit /<shellname>.php
And you should have received your shell
In the home directory of user moira, you will notice that the .bash_history is not empty.
And when we open the file, you can see the password of this user.
Run su and enter the password you have found to get a root shell
