nmap scan here
Looking at the IP Address, It was a fuel cms. From the nmap scan, found that there was an admin panel at /fuel, logged in with default id password admin, admin. Looked into the admin panel for sometime but couldn’t find anything.
Had a look in the internet about the fuel cms and found an exploit from the exploit-db. Used the exploit to get into the server. Got a php reverse shell into the /assets and got back a reverse shell into the local machine.
Tried the linpeas.sh but got no interesting results. Had a look into the files that were being hosted. Checked if there’s some file named database, used file /var/www/html -type f -name database.* 2>/dev/null and found a file. Got the creds of root from the file.
Tried to switch the user to root but could not do it since no tty shell was spawnned. Used the following to spawn a bash shell:
python3 -c 'import pty; pty.spawn("/bin/bash");'
Finally, got the root privileges of the box.
<?php
defined('BASEPATH') OR exit('No direct script access allowed');
$active_group = 'default';
$query_builder = TRUE;
$db['default'] = array(
'dsn' => '',
'hostname' => 'localhost',
'username' => 'root',
'password' => 'mememe',
'database' => 'fuel_schema',
'dbdriver' => 'mysqli',
'dbprefix' => '',
'pconnect' => FALSE,
'db_debug' => (ENVIRONMENT !== 'production'),
'cache_on' => FALSE,
'cachedir' => '',
'char_set' => 'utf8',
'dbcollat' => 'utf8_general_ci',
'swap_pre' => '',
'encrypt' => FALSE,
'compress' => FALSE,
'stricton' => FALSE,
'failover' => array(),
'save_queries' => TRUE
);
// used for testing purposes
if (defined('TESTING'))
{
@include(TESTER_PATH.'config/tester_database'.EXT);
}
/fuel admin panel.