Ignite

  1. Enumeration machine.

  1. Next part of enumeration.

 gobuster dir -u http://10.10.200.99   -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z

Interesting result:

/fuel                 (Status: 301) [Size: 311] [--> http://10.10.200.99/fuel/]

  1. We can log in and look for information.

Version of FUEL CMS : 1.4

  1. On google we can find a ready-made exploit for our version FUEL CMS.

  1. Now it's time for run our new exploit, get a shell and the first flag:

  1. Uploading linpeas.sh from our machine.

    Linpeas: https://github.com/carlospolop/PEASS-ng/releases/tag/20231015-0ad0e48c

    Database found by linpeas:

In that file we can find password for root account.

  1. Log in as root and get a second flag 🎉

Last updated