Skip to main content

Ignite

Fuel CMS

The Version of Fuel CMS 1.4 has a RCE Vulnerability (CVE-2018-16763).

Privilege Escalation

Used Exploit EDB-ID: 49487
We can catch the Reverse Shell Using netcat

www-data@ubuntu:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

The Database located in /var/www/html/fuel/application/config/database.php exposes the ROOT Password in Plain-Text.
root:mememe

$db['default'] = array(
    'dsn'   => '',
    'hostname' => 'localhost',
    'username' => 'root',
    'password' => 'mememe',
    [...]
);

Using the Password found in database.php to login as ROOT

root@ubuntu:~$ id
uid=0(root) gid=0(root) groups=0(root)

Fuel CMS
Privilege Escalation