Ignite
Fuel CMS
The Version of Fuel CMS 1.4 has a RCE Vulnerability (CVE-2018-16763).
Privilege Escalation
- Used Exploit EDB-ID: 49487
- We can catch the Reverse Shell Using
netcat
www-data@ubuntu:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
- The Database located in
/var/www/html/fuel/application/config/database.phpexposes the ROOT Password in Plain-Text. - root : mememe
$db['default'] = array(
'dsn' => '',
'hostname' => 'localhost',
'username' => 'root',
'password' => 'mememe',
[...]
);
- Using the Password found in
database.phpto login as ROOT
root@ubuntu:~$ id
uid=0(root) gid=0(root) groups=0(root)