Fuel

nmap

mkdir nmap
sudo rustscan -a 172.31.1.28 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan  

A web server on port 80 is open

And looks like it is running Fuel CMS on version 1.4

I found an RCE exploit on searchsploit

Exploitation

First, let's mirror the exploit to our machine

searchsploit -m linux/webapps/47138.py

Edit the IP address portion in the script, as well as the proxy part but if you will going to use burp suite, it's fine to leave it like that. And also make sure you're running it with Python 2, and requests library is installed.

When you run the script it will look like this.

Now we got an initial shell, but let's stabilize this by uploading a PHP reverse shell

Reverse shell

Save any PHP reverse shell in a file, but I used this shell in this walkthrough: https://github.com/ivan-sincek/php-reverse-shell

Before uploading make sure your HTTP server is setup

Set a netcat listener and upload your shell

nc -lvnp 80

To trigger your shell, you have to go to your browser and visit /<shellname>.php

And you should have received your shell

Privilege Escalation

In the home directory of user moira, you will notice that the .bash_history is not empty.

And when we open the file, you can see the password of this user.

less .bash_history

Run su and enter the password you have found to get a root shell