search

Fuel

hashtag
nmap

mkdir nmap
sudo rustscan -a 172.31.1.28 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

A web server on port 80 is open

And looks like it is running Fuel CMS on version 1.4

I found an RCE exploit on searchsploit

hashtag
Exploitation

First, let's mirror the exploit to our machine

Edit the IP address portion in the script, as well as the proxy part but if you will going to use burp suite, it's fine to leave it like that. And also make sure you're running it with Python 2, and requests library is installed.

When you run the script it will look like this.

Now we got an initial shell, but let's stabilize this by uploading a PHP reverse shell

hashtag
Reverse shell

Save any PHP reverse shell in a file, but I used this shell in this walkthrough: https://github.com/ivan-sincek/php-reverse-shellarrow-up-right

Before uploading make sure your HTTP server is setup

Set a netcat listener and upload your shell

To trigger your shell, you have to go to your browser and visit /<shellname>.php

And you should have received your shell

hashtag
Privilege Escalation

In the home directory of user moira, you will notice that the .bash_history is not empty.

And when we open the file, you can see the password of this user.

Run su and enter the password you have found to get a root shell

PreviousOutdatedNextPie

Last updated