From our initial nmap scan we can see there are not to many options for attack.

Let's check out the website.

Okay we got Fuel CMS. Below if you read through the admin page it gives us some default credentials to check out.

Let's also have a look at the Robots.txt file. We can see the /fuel directory that's also on the admin page.

So @ /fuel we have a fuel login screen. Let's see if the default creds get us in.

Using the default creds we can access the admin panel

After looking around I couldn't find a version number. I tried to upload a few web shells with no luck. So I went to searchsploit and found a couple things to try. Looks like we have a metasploit and python exploit we can try. I opted for the python over the metasploit.

As you can see it's a simple python3 script that worked very easily, and it looks like we have some RCE.

So, this is just a basic terminal with limited capabilities. Let's see if we can get a better shell now. Let's go ahead and upload a shell to the /tmp directory where we have full capabilities.

I have a bash shell with a couple of different shells in there to see which one will stick.

Let's upload that to the /tmp and make it executable in one shot.

Let's get a net cat listener going and run the shell.sh, okay cool it worked we got a shell.

Let's also stabilize the shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

Okay now we can navigate to the www-data home directory and grab the user flag

So, now let's start looking for a way to root.

After a lot of digging we found some creds in /fuel/application/config/database.php

We have the password for root so let's just try a simple su root and see what happens.


Now we can got to the root directory and grab that root flag